When session ID is changed with o.a.c.h.s.JvmRouteBinderValve, HttpOnly flag is not set to the session cookie newly made. The cause is in the following o.a.c.h.s.JvmRouteBinderValve#setNewSessionCookie's codes. protected void setNewSessionCookie(Request request, Response response, String sessionId) { if (response != null) { Context context = request.getContext(); if (context.getCookies()) { // set a new session cookie Cookie newCookie = new Cookie(Globals.SESSION_COOKIE_NAME, sessionId); newCookie.setMaxAge(-1); String contextPath = null; if (!response.getConnector().getEmptySessionPath() && (context != null)) { contextPath = context.getEncodedPath(); } if ((contextPath != null) && (contextPath.length() > 0)) { newCookie.setPath(contextPath); } else { newCookie.setPath("/"); } if (request.isSecure()) { newCookie.setSecure(true); } if (log.isDebugEnabled()) { log.debug(sm.getString("jvmRoute.newSessionCookie", sessionId, Globals.SESSION_COOKIE_NAME, newCookie .getPath(), new Boolean(newCookie .getSecure()))); } response.addCookie(newCookie); } } } HttpOnly flag is never set to Cookie regardless of the value of context.getUseHttpOnly(). When context.getUseHttpOnly() is set to true, it is necessary to set HttpOnly to Cookie. I made two patches. The first is a patch for Tomcat6(tomcat/tc6.0.x/trunk/). This patch uses response.addCookieInternal(Cookie, boolean). The second is a patch for Tomcat7 or later (tomcat/trunk/). This patch uses javax.servlet.SessionCookieConfig. (It has not been implemented yet now ? I tried to make a patch.) It is similar to org.apache.catalina.connector.Request#configureSessionCookie. Best regards.
Created attachment 24013 [details] JvmRouteBinderValve For Tomcat6_trunk This patch for Tomcat6(tomcat/tc6.0.x/trunk/). This patch uses response.addCookieInternal(Cookie, boolean).
Created attachment 24014 [details] JvmRouteBinderValve For Tomcat_trunk This patch for Tomcat7 or later (tomcat/trunk/). This patch uses javax.servlet.SessionCookieConfig. (It has not been implemented yet now ? I tried to make a patch.) It is similar to org.apache.catalina.connector.Request#configureSessionCookie.
I reproduced this case. [configuration] Clustering by TomcatA and TomcatB Both TomcatA and TomcatB set <Context useHttpOnly="true" />. Both TomcatA and TomcatB set JvmRouteBinderValve. [Test] accesses TomcatA. (create session.) accesses TomcatB. (session id is changed by JvmRouteBinderValve. ) At the above test, value of the Set-Cookie header was acquired by using RequestDumperValve. It is as follows. [Before changing session ID] ... Jul 27, 2009 6:39:55 PM org.apache.catalina.valves.RequestDumperValve invoke INFO: header=Set-Cookie=JSESSIONID=327B246DA102027AB0860AE512169236.ajp13w; Path=/test; HttpOnly ... This means HttpOnly is set. [After changing session ID by JvmRouteBinderValve] ... Jul 27, 2009 6:40:05 PM org.apache.catalina.valves.RequestDumperValve invoke INFO: header=Set-Cookie=JSESSIONID=327B246DA102027AB0860AE512169236.ajp13w2; Path=/test ... This means HttpOnly is not set. Therefore, When session ID is changed by JvmRouteBinderValve, HttpOnly is not set to the Set-Cookie header. Best Regards.
This was fixed in trunk in r802146
Created attachment 24585 [details] Update patch for 6.0.x The provided patch for 6.0.x doe snot update the debug log message. An updated patch is attached which will be proposed for 6.0.x and 5.5.x
The patch has been applied to 6.0.x and will be included in 6.0.21 onwards
This has been fixed for 5.5.x and will be included in 5.5.29 onwards.