Expand my Community achievements bar.

SOLVED

Configuration of JSESSIONID cookie set by CQSE

Avatar

Level 1

Hello,

I have an AEM instance that uses Day-Servlet-Engine/4.1.52 (CQSE) and I would like to customize the JSESSIONID cookie.

Currently CQSE sets the JSESSIONID like this:

  1. Set-Cookie:
    JSESSIONID=00000000-000000000-0000-000000000000; Path=/; HttpOnly

so the domain of the cookie is set to the current domain by the browser, ex. www.example.com.

However I would like to set the domain to .example.com, so the cookie would be available to all sub-domains of the example.com.

It looks like the solution would be to switch the CQSE servlet containter to another one that supports configuration of cookies, like newer versions of tomcat (http://stackoverflow.com/questions/82645/best-way-for-allowing-subdomain-session-cookies-using-tomca...).

When I tried to send 2 cookies with the help of a filter, one to override the existing JSESSIONID and another one which is the same JSESSIONID with the desired domain, the servlet engine adds the third JSESSIONID cookie, and the response headers look like this:

  1. Set-Cookie:
    JSESSIONID=; Expires=Thu, 01 Jan 1970 00:00:00 UTC; Path=/; HttpOnly Added by filter
  2. Set-Cookie:
    JSESSIONID=000000001-0002-0003-0003-000000001; Domain=.example.com; Path=/; HttpOnly Added by filter
  3. Set-Cookie:
    JSESSIONID=000000001-0002-0003-0003-000000001; Path=/; HttpOnly Added by servlet engine, the same ID

This is error-prone, and I was wondering if there are better solutions for adding the domain of the JSESSIONID cookie.

Any help will be very appreciated!

1 Accepted Solution

Avatar

Correct answer by
Level 10

1) Firstly  CQ does not use a JSESSIONID.  Do you really required it & if yes what is your business case?  Note The cookie is set, if the JSPs are missing a <@page session="false"> statement. You need to verify all components if they correctly disable J2EE sessions.

2) The problem & unfortunately as per j2ee spec , that sessions are enabled per default. So every JSP that forgets to add a <%@ page session="false" %> will trigger the creation of the session and sending the cookie.

3) Setting at init.jsp script might not help because some components might be missing to include.

With above background the solution proposed if you are not using jsession id  is
A) Set explicitly to false on all jsp.
<%@ page session="false" %>

B) At [1] uncheck the property "default.is.session" which make Default Session Value false.

 

[1] http://host:port/system/console/configMgr/org.apache.sling.scripting.jsp.JspScriptEngineFactory

View solution in original post

3 Replies

Avatar

Correct answer by
Level 10

1) Firstly  CQ does not use a JSESSIONID.  Do you really required it & if yes what is your business case?  Note The cookie is set, if the JSPs are missing a <@page session="false"> statement. You need to verify all components if they correctly disable J2EE sessions.

2) The problem & unfortunately as per j2ee spec , that sessions are enabled per default. So every JSP that forgets to add a <%@ page session="false" %> will trigger the creation of the session and sending the cookie.

3) Setting at init.jsp script might not help because some components might be missing to include.

With above background the solution proposed if you are not using jsession id  is
A) Set explicitly to false on all jsp.
<%@ page session="false" %>

B) At [1] uncheck the property "default.is.session" which make Default Session Value false.

 

[1] http://host:port/system/console/configMgr/org.apache.sling.scripting.jsp.JspScriptEngineFactory

Avatar

Level 1

Thank you for the reply,

The session is required (the user has the options to create and use an account on the site).

Avatar

Level 2

Hi there,

I'm in a similar situation as you with regards to configuring the cookie for all subdomains.

Did you happen to find a solution to this?

Thanks!