Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn more

View all

Sign in to view all badges

SOLVED

JSESSIONID cookie generation, security

sandeepk7656774
Level 4
Level 4

We have AEM deployed on JBoss server. Referring to existing forum links we got information that every JSP script should have following directive to avoid JSESSIONID cookie generation

<%@page session="false">

I was able to reproduce this behavior on a local non-server based AEM installation on geometrixx sample site (where removing above directive from jsp generated JSESSIONID cookie, adding didn't generate).

But on our application on AEM running on JBoss, we had a template with sightly, not including any JSP scripts (just to ensure, removed everything from page.html template file and had only sample message, to avoid including anything). When we access the page, AEM still generated JSESSIONID and its non-secured. This is being raised as security issue.

One option is to run AEM on SSL, another option per this reference link, we thought of changing only session cookie to secure. But the reference link is about Felix Jetty Service, which is not available in case AEM on JBoss server installation.

But when page template is not having any JSP script, JSESSIONID should not generate in first place. Any insights to this would be helpful.

Thanks,
Sandeep

1 Accepted Solution
WASIL
Correct answer by
Employee
Employee
3 Replies
smacdonald2008
Level 10
Level 10

Checking to see if we have any customer care information on this.

WASIL
Correct answer by
Employee
Employee
saikumark759541
Level 1
Level 1

Hi @sandeepk7656774,
I would like to add a correction here. In JSPs when adding session= false. I believe Syntax needs to be as below. In your message ending % is missing which causes issue.

 

<%@ page session="false" %>