JSESSIONID cookie generation, security

Avatar

Avatar
Validate 10
Level 4
sandeepk7656774
Level 4

Likes

21 likes

Total Posts

64 posts

Correct reply

4 solutions
Top badges earned
Validate 10
Validate 1
Boost 5
Boost 3
Boost 10
View profile

Avatar
Validate 10
Level 4
sandeepk7656774
Level 4

Likes

21 likes

Total Posts

64 posts

Correct reply

4 solutions
Top badges earned
Validate 10
Validate 1
Boost 5
Boost 3
Boost 10
View profile
sandeepk7656774
Level 4

21-12-2018

We have AEM deployed on JBoss server. Referring to existing forum links we got information that every JSP script should have following directive to avoid JSESSIONID cookie generation

<%@page session="false">

I was able to reproduce this behavior on a local non-server based AEM installation on geometrixx sample site (where removing above directive from jsp generated JSESSIONID cookie, adding didn't generate).

But on our application on AEM running on JBoss, we had a template with sightly, not including any JSP scripts (just to ensure, removed everything from page.html template file and had only sample message, to avoid including anything). When we access the page, AEM still generated JSESSIONID and its non-secured. This is being raised as security issue.

One option is to run AEM on SSL, another option per this reference link, we thought of changing only session cookie to secure. But the reference link is about Felix Jetty Service, which is not available in case AEM on JBoss server installation.

But when page template is not having any JSP script, JSESSIONID should not generate in first place. Any insights to this would be helpful.

Thanks,
Sandeep

Accepted Solutions (1)

Accepted Solutions (1)

Avatar

Avatar
Boost 50
Employee
WASIL
Employee

Likes

51 likes

Total Posts

386 posts

Correct reply

51 solutions
Top badges earned
Boost 50
Give Back 5
Give Back 3
Give Back 25
Give Back 10
View profile

Avatar
Boost 50
Employee
WASIL
Employee

Likes

51 likes

Total Posts

386 posts

Correct reply

51 solutions
Top badges earned
Boost 50
Give Back 5
Give Back 3
Give Back 25
Give Back 10
View profile
WASIL
Employee

21-12-2018

AEM/Sling when deployed on web container, uses servlet bridge(felix http proxy). You should better disable the JSESSIONID on JBoss[2]. Also check out article[3][4]

Thanks,

Wasil

[1] Apache Felix - Apache Felix HTTP Service

[2] How do I remove the jsessionid from URLs in JBoss EAP? - Red Hat Customer Portal

[3] How to enable HttpOnly and Secure Session Cookies in EAP 6.x - Red Hat Customer Portal

[4] Configure domain of JSESSIONID cookie on JBoss - Red Hat Customer Portal

Answers (2)

Answers (2)

Avatar

Avatar
Level 1
saikumark759541
Level 1

Likes

0 likes

Total Posts

1 post

Correct reply

0 solutions
View profile

Avatar
Level 1
saikumark759541
Level 1

Likes

0 likes

Total Posts

1 post

Correct reply

0 solutions
View profile
saikumark759541
Level 1

07-10-2020

Hi @sandeepk7656774,
I would like to add a correction here. In JSPs when adding session= false. I believe Syntax needs to be as below. In your message ending % is missing which causes issue.

 

<%@ page session="false" %>

 

 

Avatar

Avatar
Validate 25
Level 10
smacdonald2008
Level 10

Likes

1,409 likes

Total Posts

12,671 posts

Correct reply

2,278 solutions
Top badges earned
Validate 25
Validate 10
Validate 1
Give back 900
Give back 600
View profile

Avatar
Validate 25
Level 10
smacdonald2008
Level 10

Likes

1,409 likes

Total Posts

12,671 posts

Correct reply

2,278 solutions
Top badges earned
Validate 25
Validate 10
Validate 1
Give back 900
Give back 600
View profile
smacdonald2008
Level 10

21-12-2018

Checking to see if we have any customer care information on this.