|Summary:||Options for changing jsessionid cookie name|
|Product:||Tomcat 5||Reporter:||Cedric de Launois <cedric.delaunois>|
|Component:||Catalina||Assignee:||Tomcat Developers Mailing List <dev>|
|Attachments:||Diff to add support for changing the value of JSESSIONID|
Description Cedric de Launois 2007-05-15 01:39:32 UTC
Feature request for allowing people to change the default jsessionid cookie name. This feature is needed in the following case : Setup : ------- - A single Apache web server fronting Tomcat servers AND other proprietary web servers. - A web applications 'A' is deployed on a Tomcat server, while another web application 'B' is deployed on another proprietary web server. Both applications 'A' and 'B' are accessed through the same IP or DNS name, but with different context-roots. Problem : --------- 1) A user logs in on application 'A' on a Tomcat server, and does some work. The id of his session is retained in a cookie, named "JSESSIONID" 2) web application A redirects the user to an application B on another, proprietary, web server. 3) The user arrives on application B. The session id contained in the cookie is not recognized. A new one is created, which replaces the old one. 4) user returns to application A. The session id contained in JSESSIONID cookie is the id of a session on a proprietary web server, which obviously does not correspond to any session on Tomcat. Thus, Tomcat is unable to retrieve the user's session. Session is lost. In some case, this problem can be fixed by setting the 'emptySessionPath' attribute to 'false' in Tomcat's server.xml. This will make all JSESSIONID cookies target '/context' path instead of '/', and hence preserve the values of the jessionid cookies. However, this attribute cannot be set to false in some scenarios, e.g. when portals are used, which require that jsessionid cookies be transmitted across applications. Solution : ---------- A solution is to allow people to configure the name of the jsessionid cookie, for all applications on a given server, or for a specific application. In the depicted scenario, this prevents the application server 'B' to overwrite the jsessionid cookie of the application 'A'. Currently, changing the name of the jessionid cookie is not possible, as it is harcoded in the following source files (non-exhaustive list) : org/apache/catalina/connector/CoyoteAdapter.java (catalina.jar) org/apache/catalina/connector/Response.java (catalina.jar) org/apache/catalina/realm/RealmBase.java (catalina.jar) org/apache/jasper/tagplugins/jstl/Util.java (jasper-compiler.jar) native/common/jk_global.h (mod_jk.so) This feature request applies (at least) to Catalina, Jasper and Native:JK.
Comment 1 Detlev Beutner 2007-05-22 09:37:11 UTC
Beneath changing the cookie's name, additional options are to restrict the cookie to a certain domain and/or path. Different servers follow different possibilities, just for an overview: http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp? topic=/com.ibm.websphere.base.doc/info/aes/ae/uprs_rcookie_settings.html http://e-docs.bea.com/wls/docs100/webapp/weblogic_xml.html#wp1071982 http://help.sap.com/saphelp_erp2005/helpdata/en/d1/84fd48edeb41d0bb69d2689071f4 cf/frameset.htm
Comment 2 jfclere 2007-06-22 03:57:24 UTC
For front-end instead using mod_jk use mod_proxy (2.2.x) with somthing like for example: <Location /myapp1> ProxyPass balancer://mycluster1/myapp1 stickysession=XSESSION nofailover=On </Location> <Location /myapp2> ProxyPass balancer://mycluster1/myapp2 stickysession=JSESSION nofailover=On </Location>
Comment 3 André-John Mas 2008-10-05 11:06:21 UTC
If a change was made, I believe the simplest approach would be allow a system property to override this. I believe JBOSS already does this. Would a patch to Tomcat be accepted to provide this support, if it was developed?
Comment 4 André-John Mas 2008-10-05 15:03:25 UTC
Created attachment 22672 [details] Diff to add support for changing the value of JSESSIONID BTW here is the reference to the entry ask for and solving the same issue in the JBOSS database: https://jira.jboss.org/jira/browse/JBPAPP-363 Since the definition of the JSESSIONID value is now defined in a single file: catalina/src/share/org/apache/catalina/Globals.java this is the only place a change would need to be made. I have provided a diff using a similar style of coding as used for the STRICT_SERVLET_COMPLIANCE constant. The system parameter that would be used is: org.apache.catalina.SESSION_COOKIE_NAME
Comment 5 André-John Mas 2008-10-05 15:16:44 UTC
Note that I have opened bug 45951 to deal with Tomcat 6. An equivalent patch has been added there.
Comment 6 André-John Mas 2008-10-06 11:24:39 UTC
Comment on attachment 22672 [details] Diff to add support for changing the value of JSESSIONID changing MIME type of attachment.
Comment 7 Mark Thomas 2008-10-06 11:41:50 UTC
A broader patch has been proposed for 5.5.x that additionally: - makes the path name parameter configurable - provides documentation
Comment 8 Mark Thomas 2009-03-24 05:46:41 UTC
This has been fixed in 5.5.x and will be included in 5.5.28 onwards.