users@glassfish.java.net

Re: FYI:How to fix 'JSESSIONID is not set secure in HTTPS protcol'

From: <Jan.Luehe_at_Sun.COM>
Date: Wed, 25 Jun 2008 09:28:15 -0700

Hi Susumu,

真嶌 晋 wrote:

>FYI
>
>Hello,
>
>We have been strugling with JSESSIONID problem. Finally We find fix point.
>
>We use apache and glassfish and specify jvmRoute for connecting apache and glassfish instance.
>If we use jvmRoute glassfish use JSESSIONID cookie. We tried to check JSESSION cookie is secure in
>HTTPS protocol.
>But it not work properlly. We find fix point in glassfish source. It's javax.servlet.http.Cookie.OutputBuffer.java
>In that source JSESSIONID is set secure if protocol is secure. We fix source code and the problem is gone.
>
>In method private void addSessionCookieWithJvmRoute() we add below at line 704 of OutputBuffer,java
>
> if (req.isSecure()) {
> cookie.setSecure(true);
> }
>
>It's just information who is strugling with the same problem.
>
>I repoert it to the community.
>https://glassfish.dev.java.net/issues/show_bug.cgi?id=5200
>
>

Thanks for your proposed fix!

Your analysis is right on the spot!

How about fixing the issue as per the attached diffs, which would also
retain the fix for
https://glassfish.dev.java.net/issues/show_bug.cgi?id=5054?

I'm going to attach the diffs, the complete OutputBuffer.java that has
my suggested
fix, and a patch containing the fixed OutputBuffer.class, to the
GlassFish issue
(https://glassfish.dev.java.net/issues/show_bug.cgi?id=5200) you filed.

Can you please try it out and report back?

Thanks again,


Jan



Index: OutputBuffer.java
===================================================================
RCS file: /cvs/glassfish/appserv-webtier/src/java/org/apache/coyote/tomcat5/OutputBuffer.java,v
retrieving revision 1.16.6.8
diff -u -r1.16.6.8 OutputBuffer.java
--- OutputBuffer.java 22 May 2008 03:09:35 -0000 1.16.6.8
+++ OutputBuffer.java 25 Jun 2008 16:21:24 -0000
@@ -697,12 +697,7 @@
         Cookie cookie = new Cookie(Globals.SESSION_COOKIE_NAME,
                                    sess.getIdInternal() + "." +
                                    ctx.getJvmRoute());
- String ctxName = ctx.getName();
- if (ctxName != null && ctxName.length() > 0) {
- cookie.setPath(ctxName);
- } else {
- cookie.setPath("/");
- }
+ req.configureSessionCookie(cookie);
         response.addHeader(SET_COOKIE_HEADER,
                            coyoteResponse.getCookieString(cookie));
     }