1

We're running into an issue with multiple JSESSIONID being sent. Our web app is a JavaEE web app with Payara Server 5.2021.10.

The login page gets a JSESSIONID for the / path before logging in. After logging in, we redirect to /my-app and the browser is issued a second JSESSIONID for the /my-app path. The first cookie for / remains and is not refreshed, which could leave us vulnerable to a session fixation vulnerability.

Is there any config in web.xml or any Java side code that could prevent receiving a JSESSIONID before the user is actually logged in?

jhansen
  • 11
  • 2

1 Answers1

0

I don't know if you still need help but I might have a solution for you. I will assume that your problem occurs in a production environment (same as mine).

I've recently faced several problems with jsessionid in my project. After reading many solutions on the internet that do not work, I just found I way to fix it. I hope it could help you too.

You just need to config SSL in your Payara. I've to follow this tutorial. There is just one piece of information that you have to change, when you create the file, instead of putting the file in the $PAYARA_HOME/glassfish/domains/production/config directory. You change to $PAYARA_HOME/glassfish/domains/production/

Just send a msg if you need more help :)

Pablo Silva
  • 11
  • 1
  • 1