How to change de default session cookie name in Quarkus? The default cookie name is JSESSIONID and the application property "quarkus.http.auth.form.cookie-name" do not seems to work neither the <cookie-config> tag in web.xml.
Can you file a bug? This has not been wired up properly, the web.xml parser does not pass the value into Undertow.
Related
Tried using the below spring properties:
server.servlet.session.cookie.http-only=true
server.servlet.session.cookie.secure=true
Still not able to see secure flag in response header for Set Cookie.
I have an spring boot application and want to deploy it to wildfly12. What I'm trying to achieve is that to set a custom path for JSESSIONID cookie. But after all, my efforts haven't had any results.
I have tried to use this property in my application.properties file:
server.servlet.session.cookie.path=/
When I run the application with the embedded tomcat, everything works fine; But when I deploy my app to wildfly, regardless of the value of that property, it always sets the cookie path to the "context-path" of the application.
I have also tried to use this property also:
server.servlet.context-path=/
but no success so far!
There is also this tag inside the standalone.xml file:
<session-cookie http-only="true" secure="true"/>
but it seems that it has nothing to do with the cookie path, as it doesn't have any property regarding that.
The configuration you are doing is for the embedded server of spring boot application.
Embedded server settings present in application properties (can be check here the section # EMBEDDED SERVER CONFIGURATION and the namespace server.servlet.session.cookie.*).
To modify cookie related configuration on external servers, you have to create CookieSerializer bean which can be used to customize cookie configuration. e.g.
#Bean
public CookieSerializer cookieSerializer() {
DefaultCookieSerializer serializer = new DefaultCookieSerializer();
serializer.setCookieName("JSESSIONID");
serializer.setCookiePath("/");
serializer.setDomainNamePattern("^.+?\\.(\\w+\\.[a-z]+)$");
return serializer;
}
You can refer spring guide for more information.
Ive just set custom cookie values for my application with Spring.
On my web.xml I added this:
<session-config>
<cookie-config>
<domain>.127.0.0.1</domain> I want to run my app in localhost:8949/administrator
<path>/administrator</path>
<secure>false</secure>
<http-only>true</http-only>
</cookie-config>
</session-config>
So, the login form appears and I log in, creates the session but returns me to the login page.
I see 2 requests with differente jsessionid
one at j_spring_security_check and other at administrator/ and the request for the file login;jsessionid=ASDF...
My question, is this problem due a misconfiguration on my cookie? Could be that the specified path is not the correct? in that case, how can I specify the domain with a port? or the path is incorrect?
Any idea?
I am using Spring MVC 3.1 and developing a web application.
I am storing loged in user name and password in session.since session is stored in cookie, once cookie is disabled I am not able to log in.
is there is any solution in SPRING MVC to store session other then cookie.
Thanks
You want to use URL rewriting to persist the JSESSIONID in the URL's across requests. You can configure the ServletContext to use the URL tracking mode (instead of COOKIE) as described here.
With Servlet 3.0 you do this:
<session-config>
<cookie-config>
<tracking-mode>URL</tracking-mode>
</cookie-config>
</session-config>
I noticed that in my application (Java EE 6, Spring MVC 3.2.4, Spring Security 3.1.4) JSTL's <c:url> tags start adding the sessionid value to each URL when cookies get disabled. Spring Security works normally. I did not have to do any configuration to achieve this.
I'm looking to disable jsessionid from being used in the https headers.
Is there a way to turn this off or disable this being set as a cookie in tomcat 7?
I either want the jsessionid to arrive embedded into a GET method url name value pairs or to be part of a POST request name value pairs.
I know all the advantages and disadvantages of using cookie based sessioning and url rewriting but I have specific needs for specific impl of restful web services.
I need tomcat 7 to accept jsessionid without using the http header: jsessionid.
Thanks.
UPDATE:
so I looked around some more and found this which is implemented using the web.xml conf.
However the following doesn't seem to work with Tomcat 7.
<session-config>
<tracking-mode>URL</tracking-mode>
</session-config>
is it a case of TC7 not fully implementing the servlet 3.0 spec?
The web.xml setting works for me with Tomcat 7.0.20.
Log and check the effective (and maybe the default) session tracking modes:
logger.info("default STM: {}" , servletContext.getDefaultSessionTrackingModes());
logger.info("effective STM: {}" , servletContext.getEffectiveSessionTrackingModes());
Maybe your app override somewhere in the code the session tracking modes. An example:
final Set<SessionTrackingMode> trackingModes =
Collections.singleton(SessionTrackingMode.COOKIE);
servletContext.setSessionTrackingModes(trackingModes);
Check ServletContext.setSessionTrackingModes() calls in your code.
It's also possible to set default session tracking modes in the Tomcat's context settings but I found that web.xml settings override them.