users@glassfish.java.net

Re: Java App Server 8.1 - secure cookies/JSESSIONID

From: Jan Luehe <Jan.Luehe_at_Sun.COM>
Date: Mon, 01 Jun 2009 13:56:47 -0700

On 05/30/09 05:14 PM, Martin Gainty wrote:
> a nasty bug found last year here is the text
>
> but you should not have to touch the code as long as jvmRoute tracks
> Sessions via JSESSIONID here is text
> > We use apache and glassfish and specify jvmRoute for
> > connecting apache and glassfish instance.
> > If we use jvmRoute glassfish use JSESSIONID cookie. We tried
> > to check JSESSION cookie is secure in HTTPS protocol.
> > But it not work properlly. We find fix point in glassfish
> > source. It's javax.servlet.http.Cookie.OutputBuffer.java
> > In that source JSESSIONID is set secure if protocol is
> > secure. We fix source code and the problem is gone.
> >
> > In method private void addSessionCookieWithJvmRoute() we add
> > below at line 704 of OutputBuffer,java
> >
> > if (req.isSecure()) {
> > cookie.setSecure(true);
> > }
> http://forums.java.net/jive/thread.jspa?threadID=42847
>
> https://glassfish.dev.java.net/issues/show_bug.cgi?id=5200
>
> did Jan Luehe commit the patch into 9.1.1_b43 distro?

Yes, I did!

I also forward-ported the fix to GlassFish v3.

Thanks,

Jan