Configuration of JSESSIONID cookie set by CQSE

Question

Hello,I have an AEM instance that uses Day-Servlet-Engine/4.1.52 (CQSE) and I would like to customize the JSESSIONID cookie.Currently CQSE sets the JSESSIONID like this:Set-Cookie:JSESSIONID=00000000-000000000-0000-000000000000; Path=/; HttpOnlyso the domain of the cookie is set to the current domain by the browser, ex. www.example.com.However I would like to set the domain to .example.com, so the cookie would be available to all sub-domains of the example.com.It looks like the solution would be to switch the CQSE servlet containter to another one that supports configuration of cookies, like newer versions of tomcat (http://stackoverflow.com/questions/82645/best-way-for-allowing-subdomain-session-cookies-using-tomcat).When I tried to send 2 cookies with the help of a filter, one to override the existing JSESSIONID and another one which is the same JSESSIONID with the desired domain, the servlet engine adds the third JSESSIONID cookie, and the response headers look like this:Set-Cookie:JSESSIONID=; Expires=Thu, 01 Jan 1970 00:00:00 UTC; Path=/; HttpOnly Added by filterSet-Cookie:JSESSIONID=000000001-0002-0003-0003-000000001; Domain=.example.com; Path=/; HttpOnly Added by filterSet-Cookie:JSESSIONID=000000001-0002-0003-0003-000000001; Path=/; HttpOnly Added by servlet engine, the same IDThis is error-prone, and I was wondering if there are better solutions for adding the domain of the JSESSIONID cookie.Any help will be very appreciated!

Sham_HC · Accepted Answer

1) Firstly CQ does not use a JSESSIONID. Do you really required it & if yes what is your business case? Note The cookie is set, if the JSPs are missing a <@page session="false"> statement. You need to verify all components if they correctly disable J2EE sessions.

2) The problem & unfortunately as per j2ee spec , that sessions are enabled per default. So every JSP that forgets to add a <%@ page session="false" %> will trigger the creation of the session and sending the cookie.

3) Setting at init.jsp script might not help because some components might be missing to include.

With above background the solution proposed if you are not using jsession id is
A) Set explicitly to false on all jsp.
<%@ page session="false" %>

B) At [1] uncheck the property "default.is.session" which make Default Session Value false.

[1] http://host:port/system/console/configMgr/org.apache.sling.scripting.jsp.JspScriptEngineFactory

antonio_a1 · Answer

Thank you for the reply,The session is required (the user has the options to create and use an account on the site).

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded