Removing JSESSIONID in URL without using Filter and Wrapper

Question

I have created a Filter listening on an url-pattern of /* which replaces the HttpServletRequest with a HttpServletRequestWrapper implementation.

I have a Servlet and in this Servlet am using h:graphicImage to render images fetching from Apache web server.

<h:graphicImage value="/locationInMyWebServer/myImage.jgp"></h:graphicImage>

When I hit the URL for accessing this page (containing image), the image was not getting displayed as JSESSIONID was getting appended to my image name. The URL that was getting formed was like below.

http:/myDomain/myServlet/../myImage.jpg;JSESSIONID=ABCDEFGHIJKLMM

Hence, I have used the Filter (more details about this filter is here) as stated in the beginning of my question.

From this Servlet there is a link for logging in. When a User logs in, same JSESSIONID is getting retained even after authentication. Since, Session ID is same before logging in and after a user logs in, this is leading to Session-fixation attacks.

How can I avoid using this filter and also solve my problem of JSESSIONID getting appended to images when I use h:graphicImage

PS: I can't use <img src> because my h:graphicImage is inside h:commandLink

Session Id was different before logging in and after logging in , before using this Filter

I have added the relevant code below.

Below code is from my web.xml which has entry for Filter

<filter> 
   <filter-name>URLSessionFilter</filter-name>
   <filter-class>myPackage.web.filter.URLSessionFilter</filter-class>
</filter>
<filter-mapping>
   <filter-name>URLSessionFilter</filter-name> 
   <url-pattern>/*</url-pattern>
</filter-mapping>
<filter>

Code in my URLSessionFilter is below,

public class URLSessionFilter implements Filter
{
  public void doFilter(ServletRequest request, ServletResponse response, FilterChain   chain)
throws IOException, ServletException
  {
        if (!(request instanceof HttpServletRequest))
{
  chain.doFilter(request, response);
  return;
}

HttpServletResponse httpResponse = (HttpServletResponse)response;

HttpServletResponseWrapper wrappedResponse = new HttpServletResponseWrapper(httpResponse)
{
  public String encodeRedirectUrl(String url)
  {
    return url;
  }

  public String encodeRedirectURL(String url) {
    return url; }

  public String encodeUrl(String url) {
    return url; }

  public String encodeURL(String url) {
    return url;
  }
};
chain.doFilter(request, wrappedResponse);
  }

  public void init(FilterConfig filterConfig)
  {
  }

  public void destroy()
  {
  }
}

There is a link in my Servlet on click of which login page will be displayed. Code is below,

<h:commandLink  action="#{myBean.myMethod}">
<h:graphicImage value="/myLocInWebserver/myImage.jpg">
</h:commandLink>

In myBean.myMethod , am doing some DB clean up activities and redirecting to login page.

Apparently your wrapper implementation is broken? Show it in flavor of an SSCCE. As to the inability to use ``, this makes no sense. — BalusC, Nov 06 '12 at 11:10
@BalusC I have added the relevant code. Hope am clear with what am doing. And as you said, I also suspect somewhere wrapper implementation is broken. But, am not able to figure out where. — Vikas V, Nov 06 '12 at 13:49
Sorry, I misinterpreted your question. I understood that the filter with the wrapper wasn't working properly and that it is causing session fixation attacks, exactly as you stated in the title. After all, your concrete question actually boils down to: "I don't want to use the filter and the wrapper, even though they are working fine, is there any other way?". Your question title is therefore completely misleading. — BalusC, Nov 06 '12 at 14:04
@BalusC My apologies for misleading you. Sorry. I have edited my title now. Can you please suggest any other way without using the Filter and the Wrapper keeping in mind the context of the problem that am facing. — Vikas V, Nov 06 '12 at 14:25
There is a solution at http://stackoverflow.com/questions/11349064/jsessionid-how-to-avoid-jsessionid-xxx-on-the-first-call-to-a-page-it-works — Reddymails, Oct 31 '13 at 19:28

YoYo · Answer 1 · 2017-09-20T23:36:52.520

Another way is avoid the servlet container interpreting something as a URL. To accomplish that, you would avoid any of the special JSP or JSF tags, and directly use HTML tags. In your case - that could look like follows:

<h:commandLink  action="#{myBean.myMethod}">
  <img src="#{request.contextPath}/myLocInWebserver/myImage.jpg"/>
</h:commandLink>

No more <h:graphicImage> ...

You would still want your context path to be prefixed without any hardcoding - hence the use of #{request.contextPath}.

I recently came to this solution, as I was integrating JavaMelody with my application, and provided a link for admins to the tool. However somehow JavaMelody fails with the ;jsessionid appended. Hence, I am currently generating the URL as follows:

<a href="#{request.contextPath}/monitoring" 
   target="_blank" 
   class="ui-link ui-widget"
>
  Java Melody Performance Monitoring
</a>

instead of the typical JSF solution

<p:link value="Java Melody Performance Monitoring" 
        href="/monitoring" 
        target="_blank" 
/>

Which simply won't work.

The benefit of this solution is that I can now control this on a URL by URL basis, and I do not have to worry about setting <tracking-mode>COOKIE</tracking-mode> globally.

Removing JSESSIONID in URL without using Filter and Wrapper

1 Answers1