When is the JSESSIONID cookie added to the response
I have a JSF 2.0 application, let's call it "MyApp", with a SessionScoped bean that uses the below code to get the session and set the path on init...
HttpServletRequest request = (HttpServletRequest)FacesContext.getCurrentInstance().getExternalContext().getRequest(); //Get request from external context
HttpSession session = request.getSession(false); //Get session and don't create one if it doesn't exist
session.getServletContext().getSessionCookieConfig().setPath(""); //Set the path in the session's cookie
My problem is that the updated path ("") doesn't show up in the response session cookie, JSESSIONID, until the second request to the application. The first request gets a JSESSIONID cookie in the response with the default path, which includes the application's root context ("/MyApp"). If I reload the page, this second request will get a response with a JSESSIONID cookie that includes the updated path ("").
I can't seem to find any documentation on when the default JSESSIONID cookie is created and added to the response. I'm not sure if the updated session path is being set in the first response's JSESSIONID cookie or if it's being set and overridden by the page's default JSESSIONID cookie.
Questions:
- When does the default JSESSIONID cookie get added to the response?
- Is it possible to disable the page's default JSESSIONID cookie from being created?
Answer
When does the default JSESSIONID cookie get added to the response?
When the HTTP session is created for the first time. E.g. when JSF needs to put a newly created session scoped bean in there. So if you're writing some code in such a bean which should manipulate the session, then you're basically already too late.
Your code snippet is also a strong evidence for it. If the session was really not created, then request.getSession(false) would have returned null and subsequently, calling session.getServletContext() would have thrown a NullPointerException and you'd have asked a very different question.
Is it possible to disable the page's default JSESSIONID cookie from being created?
I believe you're asking the wrong question. You actually want to ask how to set the session cookie path the right way.
You're supposed to configure the session cookie path in web.xml as below:
<session-config>
<cookie-config>
<path>/</path>
</cookie-config>
</session-config>
If you really intend to do it programmatically for some unclear reason which is not elaborated in the question, then you should be doing this before the HTTP session is created for the first time. In other words, you should absolutely not be doing this in a session scoped JSF managed bean, nor be grabbing the needed ServletContext from the HttpSession itself.
Most sensible place would be a servlet context listener or, if you really need it to be "JSF-ish", then an eagerly initialized application scoped bean. Please note that this is an application-wide setting, not a session-wide setting. It being a property of ServletContext (and not of HttpSession) already hints that. Thus, once you set it, it affects all newly created session cookies. Depending on the concrete functional requirement which you told nothing about, there may be better ways. E.g. an additional cookie.