on 08-22-2013 6:12 AM
Hi Gurus,
I am using NW AS Java 7.3. I have a problem with the jsessionid as is not renew when a new session is created when a HTTP request with a URL contains the jsessionid. I have created a simple test case:
HTTP request (GET):
http://127.0.0.1:50000/login.do;jsessionid=gYArgRJKi-vPaGaS5Pm6FJ0rBFiiPwGK8H8A_SAPEnAYRDDZbFI4us7UI9Xyyn;saplb_*=(J2EE8114620)8114650
Login.java:
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
response.setContentType("text/html");
PrintWriter out = response.getWriter();
out.println("<html><body>Logging on");
HttpSession session = request.getSession(false);
if (session != null) {
session.invalidate();
}
out.println("</p>request.getSession(true);</p>");
session = request.getSession(true);
out.println("</p>session.getId()=</p>" + session.getId());
out.println("</body></html>");
}
Result:
Logging on
request.getSession(true);
session.getId()=
gYArgRJKi-vPaGaS5Pm6FJ0rBFiiPwGK8H8A_SAP
Meaning with the same URL, the exact same jsessionid (gYArgRJKi-vPaGaS5Pm6FJ0rBFiiPwGK8H8A_SAP) will be created always. Additionally, my business requirement requires to always use URL session tracking. Hence, I have web-j2ee-engine.xml:
<url-session-tracking>true</url-session-tracking>
I have checked SAP note 1310561. It states that such session fixation issue have been resolved in NW 7.3. How to have the jsessionid renew when a session is created even though it is jsessionid is specified in the URL and url session tracking is always enabled?
Or it is the SessionIdRegenerationEnabled is not applicable to 'url-session-tracking = true' scenario?
Thanks a lot first. Any help will be appreciated greatly.
First off what SP level do you have in your NW73 system?
I'm not 100% sure but I don't think the two parameters are dependent from each other.
Can you share the business requirement for URL session tracking? Setting url-session-tracking to true means that URL rewriting is always done where as with the default setting (false) cookies will be used if the client supports it, otherwise URL rewriting will be used.
Setting SessionIdRegenerationEnabled to true will enable additional checks, another parameter (JSessionMarkId) is automatically generated.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
Thanks for the reply.
I cannot find the SP level. I have tried a few days but still cannot get it from JSPM or SUM.
Anyways, I have some other details:
SAP Java EE Application Server Version 7.31
Patchlevel 3710.148365
In case of the the business requirement for URL session tracking, there is a legacy application which does not support cookies need to access my website. I need to make sure the session fixation is not occurring in such case as mentioned in my initial question.
Thanks.
Not sure if it will help but you can try to trace user session as described in Tracing Single User Sessions. May be it shed light on the problem.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
84 | |
10 | |
10 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.