5 Replies Latest reply on Oct 21, 2010 7:33 AM by 806960

    JSESSIONID not sent by IE8 when requesting Java Applet

      My weblogic application was working properly when deployed on weblogic 9, but was not working when deployed on weblogic 10.3. The problem is due to JSESSIONID not sent to the web application when requesting Java Applet. I have constructed a very simple web application to illustrate the problem.

      There is no JSESSIONID cookie sent when requesting hello.jar. However, if I type the hello.jar request directly in the browser, JSESSIONID cookie is sent.

      Anyone knows why or a workaround? I need JSESSIONID to check user login status in my application.

      By the way, I compiled all java using JDK1.6.


      --------------------Example codes---------------------------

      hello.html -
      <applet code="Hello.class" archive="hello.jar" width=400 height=400></applet>

      Hello.jar -
      import java.applet.Applet;
      import java.awt.Graphics;

      public class Hello extends Applet
      public Hello() {}

      public void init() {}

      public void stop() {}

      public void paint(Graphics g)
      g.drawString("Hello, Word", 20, 40);


      web.xml -
      <?xml version="1.0" encoding="UTF-8"?>
      <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
      <web-app id="WebApp">



      AAFilter.java -

      package com;

      import java.io.IOException;

      import javax.servlet.Filter;
      import javax.servlet.FilterChain;
      import javax.servlet.FilterConfig;
      import javax.servlet.RequestDispatcher;
      import javax.servlet.ServletException;
      import javax.servlet.ServletRequest;
      import javax.servlet.ServletResponse;
      import javax.servlet.http.HttpServletRequest;
      import javax.servlet.http.Cookie;
      import javax.servlet.http.HttpSession;

      public class AAFilter implements Filter {

      protected FilterConfig filterConfig;

           public void init(FilterConfig config) throws ServletException {

           } //end of init method

           public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain)
                throws ServletException, IOException {

      HttpServletRequest r=(HttpServletRequest) req;

      System.out.println("Request is: "+r.getRequestURL());

                Cookie ck[]=r.getCookies();
                if(ck != null) {
                     for(int i=0; i<ck.length; i++)
                          System.out.println("Cookie is: "+ck.getName());

                else System.out.println("No cookies");

      HttpSession ses = r.getSession(false);
      if(ses == null) {r.getSession(true);}

      chain.doFilter(req, resp);

           } //end of doFilter method

           public void destroy() {

      }//end of AAFilter
        • 1. Re: JSESSIONID not sent by IE8 when requesting Java Applet
          I've found out the problem and a solution. This is due to Weblogic session-descriptor cookie-http-only default value. By default, cookie-http-only is true. According the httponly directive, if httponly is true, then browser clients do not send out any cookies including JSESSIONID cookie when requesting any scripting codes such as Javascripts and Java applets. To make a browser client send out cookies with such requests, you must set httponly FALSE. You can do this by by including the following in weblogic.xml file:


          By the way, the latest weblogic 10.3 documentation has missed out this element.
          • 2. Re: JSESSIONID not sent by IE8 when requesting Java Applet
            I have the same problem going from 10.3 to 10.3.1. I could not find any documentation regarding this change of behavior.
            HTTPONLY directive is set to true by default and it has never caused a problem. Why did 10.3.1 set JSESSIONID as HTTPONLY based on this directive? What was reason for this change in behavior? Is there a way to keep HTTPONLY = true, but tell WebLogic not to set HTTPONLY for JSESSIONID?
            • 3. Re: JSESSIONID not sent by IE8 when requesting Java Applet
              Thanks for posting this solution. I had the same issue, where the JSESSIONID was not getting passed on the invocation of the applet and hence the subsequent calls from the applet to servlet were being treated as new session (as the sticky session was lost due to the JSESSIONID missing in the Cookie). After adding <cookie-http-only>false</cookie-http-only> the the weblogic.xml the JSESSIONID started getting passesd to the applet and to the subsequent calls to servlt from the applet.

              FYI - I started facing the issue when my application was migrated from weblogic 9.2 to 10.3.2.
              • 4. Re: JSESSIONID not sent by IE8 when requesting Java Applet
                Something to add is that the "<cookie-http-only>false</cookie-http-only>" is sticky for the HTTP session in WLS 10.3.1 - WLS 10.3.3, meaning that the first webapp that sets it and subsequent webapps cannot override the value.

                This causes problems when the a user needs to navigate between multiple webapps, like if a 'landing page' webapp precedes the main webapp. The solution is to add the "<cookie-http-only>false</cookie-http-only>" to every webapp that could be visited first.

                • 5. Re: JSESSIONID not sent by IE8 when requesting Java Applet

                  i got exactly the same problem, and solution works on IE... but not on firefox (even using IE Tab extension), opera ...

                  did you try it on other browser than IE ?