Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
Read More & Register today!
SOLVED

Configuration of JSESSIONID cookie set by CQSE

Avatar

Level 1
Level 1
10/15/15 7:28:28 PM

Hello,

I have an AEM instance that uses Day-Servlet-Engine/4.1.52 (CQSE) and I would like to customize the JSESSIONID cookie.

Currently CQSE sets the JSESSIONID like this:

  1. Set-Cookie:
    JSESSIONID=00000000-000000000-0000-000000000000; Path=/; HttpOnly

so the domain of the cookie is set to the current domain by the browser, ex. www.example.com.

However I would like to set the domain to .example.com, so the cookie would be available to all sub-domains of the example.com.

It looks like the solution would be to switch the CQSE servlet containter to another one that supports configuration of cookies, like newer versions of tomcat (http://stackoverflow.com/questions/82645/best-way-for-allowing-subdomain-session-cookies-using-tomca...).

When I tried to send 2 cookies with the help of a filter, one to override the existing JSESSIONID and another one which is the same JSESSIONID with the desired domain, the servlet engine adds the third JSESSIONID cookie, and the response headers look like this:

  1. Set-Cookie:
    JSESSIONID=; Expires=Thu, 01 Jan 1970 00:00:00 UTC; Path=/; HttpOnly Added by filter
  2. Set-Cookie:
    JSESSIONID=000000001-0002-0003-0003-000000001; Domain=.example.com; Path=/; HttpOnly Added by filter
  3. Set-Cookie:
    JSESSIONID=000000001-0002-0003-0003-000000001; Path=/; HttpOnly Added by servlet engine, the same ID

This is error-prone, and I was wondering if there are better solutions for adding the domain of the JSESSIONID cookie.

Any help will be very appreciated!

Views

2.7K

Replies

3
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Level 10
Level 10
10/15/15 7:28:28 PM

1) Firstly  CQ does not use a JSESSIONID.  Do you really required it & if yes what is your business case?  Note The cookie is set, if the JSPs are missing a <@page session="false"> statement. You need to verify all components if they correctly disable J2EE sessions.

2) The problem & unfortunately as per j2ee spec , that sessions are enabled per default. So every JSP that forgets to add a <%@ page session="false" %> will trigger the creation of the session and sending the cookie.

3) Setting at init.jsp script might not help because some components might be missing to include.

With above background the solution proposed if you are not using jsession id  is
A) Set explicitly to false on all jsp.
<%@ page session="false" %>

B) At [1] uncheck the property "default.is.session" which make Default Session Value false.

 

[1] http://host:port/system/console/configMgr/org.apache.sling.scripting.jsp.JspScriptEngineFactory

View solution in original post

Views

1.9K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
3 Replies

Avatar

Correct answer by
Level 10
Level 10
10/15/15 7:28:28 PM

1) Firstly  CQ does not use a JSESSIONID.  Do you really required it & if yes what is your business case?  Note The cookie is set, if the JSPs are missing a <@page session="false"> statement. You need to verify all components if they correctly disable J2EE sessions.

2) The problem & unfortunately as per j2ee spec , that sessions are enabled per default. So every JSP that forgets to add a <%@ page session="false" %> will trigger the creation of the session and sending the cookie.

3) Setting at init.jsp script might not help because some components might be missing to include.

With above background the solution proposed if you are not using jsession id  is
A) Set explicitly to false on all jsp.
<%@ page session="false" %>

B) At [1] uncheck the property "default.is.session" which make Default Session Value false.

 

[1] http://host:port/system/console/configMgr/org.apache.sling.scripting.jsp.JspScriptEngineFactory

Views

1.9K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Level 1
Level 1
10/15/15 7:28:28 PM

Thank you for the reply,

The session is required (the user has the options to create and use an account on the site).

Views

1.9K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
2/7/17 10:10:43 AM

Hi there,

I'm in a similar situation as you with regards to configuring the cookie for all subdomains.

Did you happen to find a solution to this?

Thanks!

Views

2.1K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
How to obtain list of child components models in parent component sling model? Solved

Views

298

Likes

0

Replies

13
how to set up cache invalidation on webserver for multiple domain

Views

130

Likes

0

Replies

4
Massive update of nodes under a specific path

Views

131

Likes

0

Replies

4
AEM Dropbox connection configured, but throws error during health check and import

Views

39

Likes

0

Replies

0
AEM - Search by content from text based document question

Views

101

Likes

0

Replies

2