Affects Version/s: None
Fix Version/s: EJBCA 7.2.0
Issue discovered during:Customer
Sprint:EJBCA Team Alice - 2019 w21
The first time you create a new session to the RA web, links will include jsessionid in the URL. This is always flagged by security scanners, even if it's only the first time, so we should remove it.
This thread explains why and what happens:
As well as how to fix it in web.xml:
In our case the resulting session-config in RA web will be:
Tested that it works on JBoss EAP 7.1.0.
We should add this to all web.xml's that are related to a UI with session-config.
- open a new private tab
- open RA Web: https://localhost:8443/ejbca/ra/
- click on Enroll->Make new request
Now jsessionid is show in the URL (as you can see when hovering over the link before clicking as well)
Click on another link and jsessionid is gone, as JSF detects that cookies are being used.