Reputation: 25494
How to properly set JSESSIONID cookie path behind reverse proxy
My web app is running in Tomcat at http://localhost:8080/example.com/ but it is being reverse proxied from Apache that is serving up http://example.com/ on port 80. My web app looks at the request.getHeader("x-forwarded-host") header to know that it is behind a reverse proxy. When it detects this (dynamically) it builds URLs without the servlet path on them.
This works fine for everything except for the JSESSIONID cookie. It gets set with a path of /example.com instead of / when it is accessed through the reverse proxy. I can't figure out how I can have my code tell Tomcat to override the path for that cookie when there is a x-forwarded-host header on the request.
I've tried setting the JSESSIONID cookie from the web app myself, but that just results in two Set-Cookie headers, only one of which is correct.
Upvotes: 24
Views: 53313
Answers (4)
Reputation: 848
Another approach is to overwrite JESSIONID cookie on application side.
By doing this way, witchcraft happens, and the path value will be overwritten with the same value that the user sees on the URL of his browser (which is btw in the application context)
In my case i've solved by setting this cookie in the login page:
String cookieExpires = "0"; // you should set a real date here
StringBuilder sb = new StringBuilder("JSESSIONID");
sb.append("=");
sb.append( request.getSession().getId() );
sb.append("; Expires=");
sb.append(cookieExpires);
sb.append("; Secure; HttpOnly; SameSite=Strict");
response.addHeader("Set-Cookie", sb.toString());
in the case you end up having 2 JSESSIONID cookies, you should first delete all JSESSIONID cookies before adding the new one
Upvotes: 0
Reputation: 25494
Tomcat6 uses the Servlet 2.3 spec. It does not support changing the cookie path either through code or Tomcat configuration.
I got it to work from the Apache side with some mod_proxy directives. The ProxyPassReverseCookiePath directive does exactly what I want. It takes the cookie from Tomcat with the incorrect path and rewrites it to the correct path.
<VirtualHost *:*>
Servername example.com
ProxyRequests Off
ProxyPass / http://localhost:8080/example.com/
ProxyPassReverseCookiePath /example.com /
ProxyPassReverseCookieDomain localhost example.com
</VirtualHost>
Upvotes: 39
Reputation: 25494
Version 3.0 of the Servlet spec introduced functionality for controlling the session cookie: http://docs.oracle.com/javaee/6/api/javax/servlet/ServletContext.html#getSessionCookieConfig()
SessionCookieConfig scc = getServletContext().getSessionCookieConfig();
scc.setPath("/");
scc.setDomain("example.com");
Tomcat 7 uses version 3 of the Servlet specification.
Upvotes: 5
Reputation: 81
Alternatively set the attribute sessionCookiePath of the node /Context (file: /conf/context.xml) to "/":
<Context sessionCookiePath="/">
Have a look at: http://tomcat.apache.org/tomcat-7.0-doc/config/context.html for more info
Upvotes: 8
Related Questions
- Forcing Tomcat to use secure JSESSIONID cookie over http
- Changing cookie JSESSIONID name
- set 'secure' flag to JSESSION id cookie
- cookies with <path>/</path> and JSESSIONID
- jsessionid as path parameter not working in Tomcat
- jsessionid passed in url if cookie and jsessionid stored by browser
- how to secure jsessionid cookie in tomcat 7 using environment variables
- JSESSIONID cookie domain
- Tomcat 7 - JSESSIONID cookie is not accessible from JavaScript code
- How do I set JSESSIONID domain to second level on Tomcat?