Details
-
Type:
Improvement
-
Status: Open
-
Priority:
Cosmetic
-
Resolution: Unresolved
-
Affects Version/s: None
-
Fix Version/s: None
-
Component/s: None
-
Labels:None
-
Provenance:Internal Delivery
Description
Currently we have multiple web-apps using the same JSESSIONID cookie name.
The means that the session id is re-used across our web-apps, but we (probably do not) maintain a consistent state.
For example, if a logout function calls invalidate() on the httpSession, this will probably not invalidate it across all interfaces.
(There is also a separate, but related issue where separate access ports like 8443 and 8442 get the same cookie by the browser and the reason for always checking that the client certificate is present.)
We should consider using for example,
<session-config>
...
<tracking-mode>COOKIE</tracking-mode>
<cookie-config>
<name>**INSERT HERE**</name>
...
</cookie-config>
</session-config>
for each webapp.
Since existing TLS intercepting load balancers configurations might rely on the same for session stickiness modifying this might be potentially breaking.
Attachments
Issue Links
- is related to
-
-
- Closed
-