This discussion is archived
6 Replies Latest reply: Nov 30, 2012 1:53 PM by Gautam Singh RSS

JBoss Secure Cookie on https

970028 Newbie
Currently Being Moderated
Hello Community,

If your first hit to the jboss application happens to be https, the server will issue a "Secure" JSESSIONID cookie. As soon as you get off https, your server then issues a new non-secure JSESSIONID cookie and so you loose your session.

For example:

FIrst hit to site:
https://site.com/login.jsp
<- issues secure JSESSIONID cookie

Second hit to site:
http://site.com/homepage.jsp
<- issues new non-secure JSESSIONID cookie, so the fact that you logged in is lost.

Example 2:

First hit to site:
http://site.co/homepage.jsp
<- issues non-secure JSESSIONID cookie

Second hit to site:
https://site.com/login.jsp
<- previous non-secure JSESSIONID cookie is used, all is well.

Wondering what ways people have found to get around this issue. I had an unsupported valve provided by ATG support for jboss4.0.3, but now that we are upgradeing to jboss5.1.0, we find the valve doesn't work.

Joe
  • 1. Re: JBoss Secure Cookie on https
    Girish V U Newbie
    Currently Being Moderated
    Try using ProtocolSwitchServlet to when you make transitions between secure and non-secure pages.
  • 2. Re: JBoss Secure Cookie on https
    970028 Newbie
    Currently Being Moderated
    Don't really see how the ProtocolSwitchServlet addresses this issue.
  • 3. Re: JBoss Secure Cookie on https
    Gautam Singh Journeyer
    Currently Being Moderated
    It a default Jboss behavior o secure JSESSIOn cookie for HTTPS request but I think you can configure Jboss not to secure JSESSION cookie for HTTPS requests.
    Thought its not always recommended because of security vulnerability. I malicious user can steel your cookie from HTTP request.
    The other recommended way is to implement HTTPS throughout your website. Obviously it also comes with a cost in tearms of SSL overhead, cost over head, and if you are using cross domain session cookie where one domain is secure other not.
  • 4. Re: JBoss Secure Cookie on https
    970028 Newbie
    Currently Being Moderated
    It is certainly JBOSS default behavior to issue a secure cookie when the first request to the site is done over https. There is no way to configure jboss to not use the secure cookie as far as I know - something custom is required here.

    For a site that uses a mix of http and https, this behavior makes no sense to me. The secure cookie is only issued if your first hit happens to be over https, which is rare. Most of the time, your first hit will be http, in which case a non-secure cookie is issued and used for the remainder of the session.

    Joe
  • 5. Re: JBoss Secure Cookie on https
    Nitin Khare Expert
    Currently Being Moderated
    I have not tried this but see if you can override the default cookie behavior using the custom filter approaches mentioned in the following resources.

    http://www.seamframework.org/Documentation/HttpHttpsSessionLostOnLogout

    http://forum.springsource.org/archive/index.php/t-65651.html (refer to comments by user "csw199")
  • 6. Re: JBoss Secure Cookie on https
    Gautam Singh Journeyer
    Currently Being Moderated
    Did you try setting
    <SessionCookie path="/" secure="false" httpOnly="false"/>
    in J2EE application context.xml?
    Also "everything on HTTPS" is the the recommended approach by security experts. Having both HTTP and HTTPS on your site open vulnerability towards MITM attack.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points