Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-8239

Remove jsessionid from URLs on first session visit

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: EJBCA 7.2.0
    • Component/s: None
    • Labels:
      None
    • Provenance:
      Internal Delivery
    • Issue discovered during:
      Customer
    • Sprint:
      EJBCA Team Alice - 2019 w21

      Description

      The first time you create a new session to the RA web, links will include jsessionid in the URL. This is always flagged by security scanners, even if it's only the first time, so we should remove it.

      This thread explains why and what happens:

      https://stackoverflow.com/questions/1045668/jsessionid-is-occurred-in-all-urls-which-are-generated-by-jstl-curl-tag

      As well as how to fix it in web.xml:
      <session-config>
      <tracking-mode>COOKIE</tracking-mode>
      </session-config> 
      {{}}

      In our case the resulting session-config in RA web will be:

          <session-config>
              <!-- This timeout of 30 minutes will be used for non-JavaScript users that can't do background polling. -->
              <session-timeout>30</session-timeout>
              <tracking-mode>COOKIE</tracking-mode>
              <cookie-config>
                  <http-only>true</http-only>
                  <secure>true</secure>
              </cookie-config>
          </session-config>
      

      {{}}

      Tested that it works on JBoss EAP 7.1.0.

       

      We should add this to all web.xml's that are related to a UI with session-config.

      The reproduce:

      Now jsessionid is show in the URL (as you can see when hovering over the link before clicking as well)

      Click on another link and jsessionid is gone, as JSF detects that cookies are being used.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              tomas Tomas Gustavsson
              Reporter:
              tomas Tomas Gustavsson
              Verified by:
              Henrik Sunmark
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 1 hour
                  1h
                  Remaining:
                  Time Spent - 30 minutes Remaining Estimate - 30 minutes
                  30m
                  Logged:
                  Time Spent - 30 minutes Remaining Estimate - 30 minutes
                  30m