Skip to Content

Problem with multiple jsession id's being generated

While going through spring-filter-config.xml, I found the following in OOB xml:

My specific concern is following:

With property useDefaultPath set as false, it was generating 4 Jession id's for different path's.

but when I set useDefaultPath to true, it was generating only 1 jsession id.

 <bean id="defaultSessionCookieGenerator" class="com.shoprite.storefront.security.cookie.EnhancedCookieGenerator" >
     <property name="cookieSecure" value="true"/>
     <property name="cookieName" value="JSESSIONID"/>
     <property name="cookieMaxAge" value="-1"/>
     <property name="useDefaultPath" value="false"/>
     <property name="httpOnly" value="true"/>
 </bean>

My question is why is useDefaultPath set to false in default hybris storefront generated through modulegen in Hybris 6, as this was causing problems with clustering and load balancing?

After we changed this to: the problem disappeared. Any suggestions?

Add a comment
10|10000 characters needed characters exceeded

Related questions

1 Answer

  • Posted on Aug 23, 2016 at 03:07 PM

    I'm not really sure why this EnhancedCookieGenerator is needed for the JSESSIONID cookie anymore. It was presumably written for Servlet spec 2.5 that doesn't support setting httpOnly. If you just remove this cookie generator and rely on the default Tomcat behaviour you can put the settings in web.xml

    e.g.

     <session-config>
         <session-timeout>30</session-timeout>
         <cookie-config>
             <http-only>true</http-only>
             <secure>true</secure>
         </cookie-config>
     </session-config>
    

    Then you'll get one session cookie per context (unless you change sessionCookiePath in the context configuration) rather than a session cookie for every path that you visit.

    Add a comment
    10|10000 characters needed characters exceeded

    • I've also experienced issues with using EnhancedCookieGenerator in the root context for other cookies (e.g. guidCookieGenerator). I changed line 105

      from

       cookie.setPath(request.getContextPath());
      

      to

       cookie.setPath(StringUtils.isBlank(request.getContextPath()) ? "/" : request.getContextPath());
      

      Otherwise it ends up setting your cookies with a blank path which means the browser uses the path of the currently viewed page.

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.