Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-8245

Investiagte separate JSF session cookie names for each webapp

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Cosmetic
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None
    • Provenance:
      Internal Delivery

      Description

      Currently we have multiple web-apps using the same JSESSIONID cookie name.

      The means that the session id is re-used across our web-apps, but we (probably do not) maintain a consistent state.

      For example, if a logout function calls invalidate() on the httpSession, this will probably not invalidate it across all interfaces.

      (There is also a separate, but related issue where separate access ports like 8443 and 8442 get the same cookie by the browser and the reason for always checking that the client certificate is present.)

      We should consider using for example,

          <session-config>
              ...
              <tracking-mode>COOKIE</tracking-mode>
              <cookie-config>
                  <name>**INSERT HERE**</name>
                  ...
              </cookie-config>
          </session-config>
      

      for each webapp.

      Since existing TLS intercepting load balancers configurations might rely on the same for session stickiness modifying this might be potentially breaking.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              johan Johan Eklund
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated: