Was wondering what is the use of DWRSESSIONID that is generated by DWR and sent to the browser? Is it associated with HTTPSession ? Don't see any practical reasons to create this cookie, when JSESSIONID is used to maintain state.
Asked
Active
Viewed 5,393 times
2
OnlyMAJ
- 819
- 8
- 21
Darth_Yoda
- 93
- 2
- 10
1 Answers
3
The DWRSESSIONID cookie was added in DWR 3.0 to protect against CSRF attacks. It is set when a call is first made by the server-side DWR class Batch.java. On subsequent calls, it is used by BaseDwrpHandler.java to check for a CSRF attack. It is available even if there is no HttpSession, hence no JSESSIONID. Explained by Mike Wilson on the DWR-Users mailing list:
In the DWR 3.0 model we create our own session cookie ("DWRSESSIONID") so there will always be a session cookie to base the CSRF check off, even if the application doesn't use the HttpSession.
Vik David
- 3,640
- 4
- 21
- 29