cancel
Showing results for 
Search instead for 
Did you mean: 

Problem with multiple jsession id's being generated

abhinavsingh11
Participant
0 Kudos

While going through spring-filter-config.xml, I found the following in OOB xml:

My specific concern is following:

With property useDefaultPath set as false, it was generating 4 Jession id's for different path's.

but when I set useDefaultPath to true, it was generating only 1 jsession id.

 <bean id="defaultSessionCookieGenerator" class="com.shoprite.storefront.security.cookie.EnhancedCookieGenerator" >
     <property name="cookieSecure" value="true"/>
     <property name="cookieName" value="JSESSIONID"/>
     <property name="cookieMaxAge" value="-1"/>
     <property name="useDefaultPath" value="false"/>
     <property name="httpOnly" value="true"/>
 </bean>

My question is why is useDefaultPath set to false in default hybris storefront generated through modulegen in Hybris 6, as this was causing problems with clustering and load balancing?

After we changed this to: the problem disappeared. Any suggestions?

Accepted Solutions (1)

Accepted Solutions (1)

andyfletcher
Active Contributor
0 Kudos

I'm not really sure why this EnhancedCookieGenerator is needed for the JSESSIONID cookie anymore. It was presumably written for Servlet spec 2.5 that doesn't support setting httpOnly. If you just remove this cookie generator and rely on the default Tomcat behaviour you can put the settings in web.xml

e.g.

 <session-config>
     <session-timeout>30</session-timeout>
     <cookie-config>
         <http-only>true</http-only>
         <secure>true</secure>
     </cookie-config>
 </session-config>

Then you'll get one session cookie per context (unless you change sessionCookiePath in the context configuration) rather than a session cookie for every path that you visit.

andyfletcher
Active Contributor
0 Kudos

I've also experienced issues with using EnhancedCookieGenerator in the root context for other cookies (e.g. guidCookieGenerator). I changed line 105

from

 cookie.setPath(request.getContextPath());

to

 cookie.setPath(StringUtils.isBlank(request.getContextPath()) ? "/" : request.getContextPath());

Otherwise it ends up setting your cookies with a blank path which means the browser uses the path of the currently viewed page.

Answers (0)