jsessionid

This issue is driving me insane, so maybe someone could help me understand what the issue is. I have a tomcat web application being fronted by HAProxy. HAProxy is also doing SSL offloading, and is configured to use sticky sessions. I am using Tomcat's session replication feature which seems to be working just fine. The sessions appear on both appservers. For some reason, Tomcat is generating a new JSESSIONID for every single web request, and then copying the contents of the old session into the new session. That is to say, my session contents are still there within the new session, but a new

Does anyone know what changed in the configuration between Tomcat 6 and Tomcat 7 that would cause the JSESSIONID cookie to not be accessible via JavaScript? Using Tomcat 6: alert(document.cookie); // JSESSIONID=8675309ABCDEF... Using Tomcat 7: alert(document.cookie); // nothing Jeff R. Okay, I found the answer. The useHttpOnly attribute was set to false by default in Tomcat 6 , and is true in Tomcat 7 . This attribute is set for the <Context> container. <Context useHttpOnly="false" [...] /> For more information about updating from Tomcat 6 to 7: Migrating from 6.0.x to 7.0.x I'm not sure why I

I am using spring MVC and having a problem in jsessionid, what I found is that jsessionid is injected in the url if cookies isn't enabled in the browser producing a url like that: http://localhost/categories;jsessionid=Bsls4aQFXA5RUDcmZKV5iw?cid=13001 Actually there is no problem with browsers but when Google crawl my site, and seems Google crawlers don't have cookies :), they store urls of my site in that form and my site appears in search results having URLs like that ones containing jsessionid. Actually it's running without any problems, but I prefer to have URLs appear in Google search

A product I work on got a tough security audit by a potential customer and they are upset that Tomcat sets a JSESSIONID cookie before authentication has happened. That is, Tomcat sets this cookie when our stateless Login Page loads, but before login. They suggest either of the following: issue a new JSESSIONID cookie after login prevent a JSESSIONID cookie from being set in the first place on the Login Page (i.e., before authentication has happened) I have been poring through everything JSESSIONID-related on this site and can find no easy answer. I'm just hoping for some ideas. My best

I want to set 'secure' flag to JSESSIONID cookie . Is there a configuration in tomcat 6 for this ? I tried by setting 'secure="true"' in 'Connector' (8080) element of server.xml , but it creates problems ....thats Connection is getting reset . Note that in my application , the JSESSIONID is getting created in 'http' mode ( index page ) , when the user logins , it will switch into 'https' mode. If you are using tomcat 6 you can do the following workaround String sessionid = request.getSession().getId(); response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; secure ; HttpOnly"); see