How to change jsessionid cookie path to server root in Spring app on Jetty?

java spring jetty session-cookies maven-jetty-plugin
Tauren picture Tauren · Oct 6, 2012 · Viewed 20.2k times · Source

I have a Jetty server running a Spring app on the /app context. The app uses sessions, so it sets a session cookie, which responds like this:

set-cookie:JSESSIONID=679b6291-d1cc-47be-bbf6-7ec75214f4e5; Path=/app; HttpOnly

I need that cookie to have a path of / instead of the webapp's context. Plus I want to use secure cookies. I want this response:

set-cookie:JSESSIONID=679b6291-d1cc-47be-bbf6-7ec75214f4e5; Path=/; HttpOnly; Secure

Where is the proper place to configure the session cookie? Does spring help with this? Should it be in web.xml? Or do I need to configure it in a container specific way, such as jetty-web.xml?

I've tried a bunch of things, but nothing has worked so far. Below are some things I tried.

Attempt #1

Created WEB-INF/jetty-web.xml with the following:

<Configure class="org.eclipse.jetty.webapp.WebAppContext">
    <Get name="sessionHandler">
      <Get name="sessionManager">
        <Set name="sessionCookie">MYJETTYSESSION</Set>
        <Set name="sessionPath">/</Set>
        <Set name="secureCookies" type="boolean">true</Set>
        <Set name="httpOnly" type="boolean">true</Set>
      </Get>
    </Get>
</Configure>

This causes an exception to be thrown:

2012-10-05 02:41:41.180:WARN:oejx.XmlConfiguration:Config error at <Set name="sessionPath">/</Set> java.lang.NoSuchMethodException: class org.eclipse.jetty.server.session.HashSessionManager.setSessionPath(class java.lang.String)
2012-10-05 02:41:41.180:WARN:oejx.XmlConfiguration:Config error at <Get name="sessionManager"><Set name="sessionCookie">MYJETTYSESSION</Set><Set name="sessionPath">/</Set><Set name="secureCookies">true</Set><Set name="httpOnly">true</Set></Get> java.lang.NoSuchMethodException: class org.eclipse.jetty.server.session.HashSessionManager.setSessionPath(class java.lang.String)
2012-10-05 02:41:41.180:WARN:oejx.XmlConfiguration:Config error at <Get name="sessionHandler"><Get name="sessionManager"><Set name="sessionCookie">MYJETTYSESSION</Set><Set name="sessionPath">/</Set><Set name="secureCookies">true</Set><Set name="httpOnly">true</Set></Get></Get> java.lang.NoSuchMethodException: class

The full stack trace is in this gist.

Attempt #2

Created WEB-INF/jetty-web.xml with the following:

<Configure class="org.eclipse.jetty.webapp.WebAppContext">
    <Call name="setInitParameter">
        <Arg>org.eclipse.jetty.servlet.SessionCookie</Arg>
        <Arg>MYSESSIONID</Arg>
    </Call>
    <Call name="setInitParameter">
        <Arg>org.eclipse.jetty.servlet.SessionIdPathParameterName</Arg>
        <Arg>mysessionid</Arg>
    </Call>
    <Call name="setInitParameter">
        <Arg>org.eclipse.jetty.servlet.SessionPath</Arg>
        <Arg>/</Arg>
    </Call>
</Configure>

This does not cause any exception, but the cookie is still JSESSIONID and contains the webapp context path /app.

Attempt #3

Updated WEB-INF/web.xml with the following:

<context-param>
    <param-name>org.eclipse.jetty.servlet.SessionPath</param-name>
    <param-value>/</param-value>
</context-param>
<context-param>
    <param-name>org.eclipse.jetty.servlet.SessionCookie</param-name>
    <param-value>MYSESS</param-value>
</context-param>

This does not cause any exception, but the cookie is still JSESSIONID and contains the webapp context path /app.

Attempt #4

Updated WEB-INF/web.xml with the following:

<session-config>
    <session-timeout>720</session-timeout>
    <cookie-config>
        <name>SZSESSION</name>
        <path>/</path>
        <http-only>true</http-only>
        <secure>true</secure>
    </cookie-config>
</session-config>

This does not cause any exception, but the cookie is still JSESSIONID and contains the webapp context path /app.

Maven configuration

Note that I'm using Jetty Maven Plugin version 8.1.5.v20120716 and doing a mvn jetty:run:

<jetty.maven.plugin.version>8.1.5.v20120716</jetty.maven.plugin.version>
<spring.version>3.0.0.RELEASE</spring.version>
  ...
<plugin>
    <groupId>org.mortbay.jetty</groupId>
    <artifactId>jetty-maven-plugin</artifactId>
    <version>${jetty.maven.plugin.version}</version>
    <configuration>
        <scanIntervalSeconds>10</scanIntervalSeconds>
        <reload>manual</reload>
        <stopPort>${jetty.stop.port}</stopPort>
        <stopKey>foo</stopKey>
        <webAppConfig>
              <contextPath>/app</contextPath>
        </webAppConfig>
    </configuration>
       ...
</plugin>

Answer

jesse mcconnell picture jesse mcconnell · Oct 6, 2012

Attempt #4 is on the right track.

Providing I am reading this right, you're using the maven configuration on the context /app which means in your web.xml the / your settings is /app because that is the root of the context you're configuring.

Put another way you can't configure the session for www.foo.com/ if you are only deploying into the www.foo.com/app context, imagine if someone else were deploying apps into that url, you can't just decide to make your session cookies apply to everyone operating under that url.

Related questions

Maven Dependency Conflict: org.w3c.dom.ElementTraversal

I have a Java codebase which is using Maven for both dependency resolution and running tests on CI. After a recent batch of development (big enough to make it hard to identify the breaking change), some of my tests now …

Read More
How to make Jetty dynamically load "static" pages

I am building Java web applications, and I hate the traditional "code-compile-deploy-test" cycle. I want to type in one tiny change, then see the result INSTANTLY, without having to compile and deploy. Fortunately, Jetty is great for this. It is …

Read More
Java / Jetty: How to Add Filter to Embedded Jetty

I am working with embedded Jetty and I want to add a servlet filter to check for authentication before each request. I tried following this example but it looks like the signature has changed. <dependency> <groupId>…

Read More