2

I have a bunch of problems with JSESSIONID cookie in different scenarios. I've already read a lot information, but it feels crazy, when things do not work as expected.

Long story short, I have a web server behind proxy server (nginx). Proxy handles requests with HTTPS (and redirects HTTP to HTTPS), also proxy has LDAP authorization (does not matter but anyway).

On the web server machine apache proxy is configured, that redirects from 443(https) to 80 port. Web server is Tomcat, it is configured in server.xml to use secure cookies (connector settings).

To summarize

[browser] ----->  [nginx proxy] -----> [tomcat app server]

Now problems:

  1. When open app from intranet (requests go directly to app server without nginx proxy), cookies are not cached at all. Developer tools show, that response contains JSESSIONID cookie, but new requests do not use it and app breaks.

    Key moments: server returns secure cookie

  2. When open app from internet (requests go through nginx proxy), cookies are cached. Application works fine. But cookies are not secure, though they might be (because tomcat is configured and we run through HTTPS).

So, I want to understand why cookies are not cached in first case and why cookies are not secure in second case.

Update

I removed 

<session-config>
    <cookie-config>
        <secure>true</secure>
    </cookie-config>
</session-config>

from web.xml (it was intended to make all cookies secure, I found it somewhere in web)

After that, problem 1 was solved (cookies are cached now) and problem 2 is solved too (cookies are secure). Honestly, I don't understand this magic and want to hear some expert explanation.

AdamSkywalker
  • 11,408
  • 3
  • 38
  • 76
  • In the first case, what is the "path" on the cookie in Developer Tools? Can you post Set-Cookie response for first case? – Grady G Cooper May 18 '15 at 13:35
  • in the 1st case, new requests are not HTTPS, therefore they do not carry secure cookies. – ZhongYu May 18 '15 at 13:40
  • @GradyGCooper Here it is: Set-Cookie:JSESSIONID=541D1542C7024C5515BBA1B358442FC8; Path=/app/; Secure; HttpOnly. I accidently fixed first bug by changing web.xml setting, I'll update the question to clarify the situation. – AdamSkywalker May 18 '15 at 13:42
  • also, should use `/app` instead of `/app/` as the path. – ZhongYu May 18 '15 at 13:52
  • @bayou.io jsessionid cookie is set by tomcat server, I can't force it to set another path. – AdamSkywalker May 18 '15 at 13:53
  • if you visit URL `/app` (which should display the welcome page), is the cookie carried over? try it on IE/Chrome. If the cookie is missing, it should be counted as a tomcat bug. see http://www.ietf.org/mail-archive/web/http-state/current/msg01406.html – ZhongYu May 18 '15 at 14:09
  • You could change path with this mechanism: http://stackoverflow.com/questions/3980392/tomcat-7-session-cookie-path – Grady G Cooper May 18 '15 at 14:24

1 Answers1

0

You can remove the trailing slash of the cookie with 

sessionCookiePathUsesTrailingSlash="false"

for the context

D Smith
  • 11
  • 1