jsessionid

问题 To put some context, i'm developing an API to track user actions on the site (anon users too). So far, we use jsessionId to identify each user and his actions. That API, now runs on Tomcat and JBoss. The really matter question is, since we analize all data one a day, is in any way the uniqueness of this jsessionId guaranteed all along the day? Or, not concurrently, can other user get the same jsessionId used previously by other one? Thanks in advance. 回答1: Sorry, it's not specified. It's only

问题 Because of some security reasons I deceided to disable session tracking by jsessionid in URL. Before I changed my web.xml to the one below, I had on the first time I visited the page a jsessionid in the url, after clicking the first link, it never appeared again. My web.xml looks like <session-config> <session-timeout>10</session-timeout> <cookie-config> <secure>true</secure> </cookie-config> <tracking-mode>COOKIE</tracking-mode> </session-config> Now I have the jsessionid in the URL, if I

问题 Having a specific cluster architecture with the following details: Load balancer ( 10.10.0.1 ) using Apache's mod_cluster 1.2.0 without advertising using multicast 2 JBoss AS 7.2 servers ( jboss-instance-1, jboss-instance-1 ) in domain mode (host and slave), i'm using proxy-list instead of multicast In domain.xml i have the following settings (only important snippets): ... <subsystem xmlns="urn:jboss:domain:modcluster:1.1"> <mod-cluster-config advertise-socket="modcluster" connector="ajp"

问题 I'm looking for a plain English, "for dummies" explanation of how does JSESSIONID work from security aspects Can someone who merely knows my current JSESSIONID impersonate / hijack my session? In what scenarios JSESSIONID will be part of the URL, and is this OWASP #2 security risk (scenario #1) still relevant for latest versions of Tomcat / Glassfish, and if so, what to "turn off/on" to prevent it? 回答1: Q: Can someone who merely knows my current JSESSIONID impersonate / hijack my session? A:

问题 Does anyone know what changed in the configuration between Tomcat 6 and Tomcat 7 that would cause the JSESSIONID cookie to not be accessible via JavaScript? Using Tomcat 6: alert(document.cookie); // JSESSIONID=8675309ABCDEF... Using Tomcat 7: alert(document.cookie); // nothing 回答1: Okay, I found the answer. The useHttpOnly attribute was set to false by default in Tomcat 6, and is true in Tomcat 7. This attribute is set for the <Context> container. <Context useHttpOnly="false" [...] /> For

问题 Does anyone know what changed in the configuration between Tomcat 6 and Tomcat 7 that would cause the JSESSIONID cookie to not be accessible via JavaScript? Using Tomcat 6: alert(document.cookie); // JSESSIONID=8675309ABCDEF... Using Tomcat 7: alert(document.cookie); // nothing 回答1: Okay, I found the answer. The useHttpOnly attribute was set to false by default in Tomcat 6, and is true in Tomcat 7. This attribute is set for the <Context> container. <Context useHttpOnly="false" [...] /> For

问题 I want to configure my servlet context, such as setting a custom jsessionId key (see Changing cookie JSESSIONID name) I believe I can use the SpringBootServletInitializer when running a WAR file, manipulating the servletContext in onStartup() . However, when I run on an embedded application server, using new SpringApplicationBuilder().run() , I don't know the best place to manipulate the servlet context. 回答1: As of Spring Boot 1.3 you can simply set a configuration property; Spring Boot 1.3,

问题 I'm trying to manage sessions in Spring Security without leveraging cookies. The reasoning is - our application is displayed within an iframe from another domain, we need to manage sessions in our application, and Safari restricts cross-domain cookie creation. (context : domainA.com displays domainB.com in an iframe. domainB.com is setting a JSESSIONID cookie to leverage on domainB.com, but since the user's browser is showing domainA.com - Safari restricts domainB.com from creating the cookie

问题 Recently we removed jsessionid from URL did cookies based session management to prevent "session hijacking attack" But we found that first request URL always has jsessionid when cookies are enabled and subsequent request URL has NO jsessionid. using the jsessionid from first url we could directly hit other pages in the workflow Question : is there any security vulnerability exposing jsessionid only on first request? There is a solution to remove jsessionid from first request , but wanted to

问题 I have an application which uses the welcome-page index.jsp with an <iframe></iframe> the contents of the iframe is a jsf page. If I access index.jsp I see a cookie already on the first get in firebug: Set-Cookie JSESSIONID=C615DA89B6EF73F801973EA3DCD3B226; Path=/ The page of the <iframe> inherits this jsessionid. BUT: when I directly access the page of the <iframe/> I get the jsessionId rewritten to all URLs without a cookie - on the first request. Afterwards the cookie is used. This is all