Currently JSESSIONID is set by xxx.domain.com and I'd like to read the JSESSIONID from yyy.domain.com, so how can I change the JSESSIONID cookie's domain from xxx.domain.com to .domain.com? I'm using Apache as web server. Thanks.
Related
we have to set cookie-secure directly in weblogic server instead of giving weblogic.xml
<session-descriptor>
<cookie-http-only>true</cookie-http-only>
<cookie-secure>true</cookie-secure>
It sounds like you are trying to have http-only cookies as a default. This is not possible in WebLogic. You could try to add a custom filter class, but you would have to insert this into every web.xml which is just as much of a hassle.
The better option would be to configure this in a web server or layer 7 load balancer that proxies traffic to WebLogic. For a crude example, insert the following in an Apache virtual host config to add the HttpOnly and Secure flags to every set cookie.
Header edit Set-Cookie (.*) "$1; HttpOnly; Secure"
I have a server of OVH company and I'm having some problems setting a subdomain for it.
My server configuration is something like this:
Apache service working at port 80 with the website and works only with https (apache config makes a redirection for http request to https).
PostgreSQL service on default port 5432
Gitlab installation working over nginx at port 81.
I'm trying to set the external_url for gitlab to http://git.example.com:81 but when I try to access, i'm being redirected to a OVH default page.
I can access gitlab if I set the external url to something like http://example.com:81 or even if I set a relative path like http://example.com:81/gitlab but I can't make it work with the subdomain http://git.example.com:81
How do you think I can get it working? Maybe I have to change DNS zone or something related to the redirections in the OVH web manager panel??
Thanks in advance! This is a really great community!
(Posted on behalf of the OP).
I just assign in the panel of the web hosting this redirection: git.example.com => example.com and that does the trick.
My Apache Tomcat is running behind an Apache httpd web server connected via mod_jk.
When a browser requests https page (rather than http) as its first session request, Tomcat sends a session cookie with secure flag which makes user's logged in session unavailable for http pages later.
How can I remove session cookies' secure flag using mod_header?
I already tried to add an option into web.xml like below.
<session-config>
<cookie-config>
<secure>false</secure>
</cookie-config>
</session-config>
However, it doesn't work. I guess this option doesn't make servlet request not secure, and Tomcat will put the secure flag on session cookies unless both context's session config and servlet request are not secure.
Here is my own solution added to httpd-vhost.conf for now:
Header edit* Set-Cookie "(JSESSIONID=.*)(; Secure)" "$1"
I'm using one Apache HTTPD and multiple Tomcats as the load balancing solution. The session sticky is based on JSESSIONID cookie. I have two questions that really need your help.
1) Tomcat version is 7, cookies can be shared with subdomains. The domain looks like this:
en.mydomain.com
es.mydomain.com
it.mydomain.com
Configured in context.xml
<Context sessionCookieDomain=".mydomain.com" sessionCookiePath="/">
Meanwhile, we have staging environment that has sub-sub domains, and cookies can also be shared across the domains below:
en.alpha.mydomain.com
es.alpha.mydomain.com
it.alpha.mydomain.com
Configured in context.xml:
<Context sessionCookieDomain=".alpha.mydomain.com" sessionCookiePath="/">
But sometimes, JSESSIONID cookie can be shared between en.mydomain.com and en.alpha.mydomain.com, which is not expected.
How to resolve this issue? Cookies should not be shared in the different level subdomains.
2) I tried to refresh JSESSIONID cookie for above question, but failed. In Tomcat JSP:
session.invalidate();
session = request.getSession(true);
out.print(session.getId());
JSESSIONID cookie is refreshed when directly accessing this Tomcat JSP, but kept the same when accessing its proxy Apache. Should I modify the mod_proxy etc. to support the JSESSIONID cookie refresh by accessing the Apache URL?
How apache or mod_jk validate a session is created or not ? and session is valid or not ? and Session id is valid or not ? How apache handles sessions ?
Apache doesn't interfere (or do any "validation") with the JSESSIONID cookie at all. It simply propagates everything from the client to tomcat, and from tomcat back to the client.