How to change jsessionid cookie path to server root in Spring app on Jetty?

I have a Jetty server running a Spring app on the /app context. The app uses sessions, so it sets a session cookie, which responds like this:

set-cookie:JSESSIONID=679b6291-d1cc-47be-bbf6-7ec75214f4e5; Path=/app; HttpOnly

I need that cookie to have a path of / instead of the webapp’s context. Plus I want to use secure cookies. I want this response:

set-cookie:JSESSIONID=679b6291-d1cc-47be-bbf6-7ec75214f4e5; Path=/; HttpOnly; Secure

Where is the proper place to configure the session cookie? Does spring help with this? Should it be in web.xml? Or do I need to configure it in a container specific way, such as jetty-web.xml?

I’ve tried a bunch of things, but nothing has worked so far. Below are some things I tried.

Attempt #1

Created WEB-INF/jetty-web.xml with the following:

<Configure class="org.eclipse.jetty.webapp.WebAppContext">
    <Get name="sessionHandler">
      <Get name="sessionManager">
        <Set name="sessionCookie">MYJETTYSESSION</Set>
        <Set name="sessionPath">/</Set>
        <Set name="secureCookies" type="boolean">true</Set>
        <Set name="httpOnly" type="boolean">true</Set>
      </Get>
    </Get>
</Configure>

This causes an exception to be thrown:

2012-10-05 02:41:41.180:WARN:oejx.XmlConfiguration:Config error at <Set name="sessionPath">/</Set> java.lang.NoSuchMethodException: class org.eclipse.jetty.server.session.HashSessionManager.setSessionPath(class java.lang.String)
2012-10-05 02:41:41.180:WARN:oejx.XmlConfiguration:Config error at <Get name="sessionManager"><Set name="sessionCookie">MYJETTYSESSION</Set><Set name="sessionPath">/</Set><Set name="secureCookies">true</Set><Set name="httpOnly">true</Set></Get> java.lang.NoSuchMethodException: class org.eclipse.jetty.server.session.HashSessionManager.setSessionPath(class java.lang.String)
2012-10-05 02:41:41.180:WARN:oejx.XmlConfiguration:Config error at <Get name="sessionHandler"><Get name="sessionManager"><Set name="sessionCookie">MYJETTYSESSION</Set><Set name="sessionPath">/</Set><Set name="secureCookies">true</Set><Set name="httpOnly">true</Set></Get></Get> java.lang.NoSuchMethodException: class 

The full stack trace is in this gist.

Attempt #2

Created WEB-INF/jetty-web.xml with the following:

<Configure class="org.eclipse.jetty.webapp.WebAppContext">
    <Call name="setInitParameter">
        <Arg>org.eclipse.jetty.servlet.SessionCookie</Arg>
        <Arg>MYSESSIONID</Arg>
    </Call>
    <Call name="setInitParameter">
        <Arg>org.eclipse.jetty.servlet.SessionIdPathParameterName</Arg>
        <Arg>mysessionid</Arg>
    </Call>
    <Call name="setInitParameter">
        <Arg>org.eclipse.jetty.servlet.SessionPath</Arg>
        <Arg>/</Arg>
    </Call>
</Configure>

This does not cause any exception, but the cookie is still JSESSIONID and contains the webapp context path /app.

Attempt #3

Updated WEB-INF/web.xml with the following:

<context-param>
    <param-name>org.eclipse.jetty.servlet.SessionPath</param-name>
    <param-value>/</param-value>
</context-param>
<context-param>
    <param-name>org.eclipse.jetty.servlet.SessionCookie</param-name>
    <param-value>MYSESS</param-value>
</context-param>

This does not cause any exception, but the cookie is still JSESSIONID and contains the webapp context path /app.

Attempt #4

Updated WEB-INF/web.xml with the following:

<session-config>
    <session-timeout>720</session-timeout>
    <cookie-config>
        <name>SZSESSION</name>
        <path>/</path>
        <http-only>true</http-only>
        <secure>true</secure>
    </cookie-config>
</session-config>

This does not cause any exception, but the cookie is still JSESSIONID and contains the webapp context path /app.

Maven configuration

Note that I’m using Jetty Maven Plugin version 8.1.5.v20120716 and doing a mvn jetty:run:

<jetty.maven.plugin.version>8.1.5.v20120716</jetty.maven.plugin.version>
<spring.version>3.0.0.RELEASE</spring.version>
  ...
<plugin>
    <groupId>org.mortbay.jetty</groupId>
    <artifactId>jetty-maven-plugin</artifactId>
    <version>${jetty.maven.plugin.version}</version>
    <configuration>
        <scanIntervalSeconds>10</scanIntervalSeconds>
        <reload>manual</reload>
        <stopPort>${jetty.stop.port}</stopPort>
        <stopKey>foo</stopKey>
        <webAppConfig>
              <contextPath>/app</contextPath>
        </webAppConfig>
    </configuration>
       ...
</plugin>

How save cookie JSESSIONID in browser (spring)?

i am develop an web app and in the authentication i need to delete the cookie JSESSIONID after a user makes logout. Imagine this situation, i have multiple servers with the same war deployed and the u

Is it possible to change the path of the JSESSIONID cookie?

By default, Glassfish stores the JSESSIONID cookie at the context path, for example /mysite. Is it possible to change this path, for example to /mysite/admin? I would like the session to be only v

path and domain names missing in jsessionid cookie

I have a jsessionid cookie set by Jboss/Tomcat container to track sessions. Currently, my app behaves badly in the IE 8 browser. It’s not showing the correct DOMAIN name or PATH name. NAME JSESSIONID

Making JSESSIONID cookie be httpOnly in Jetty 7

We’re running grails 2.0 + jetty 7.6.6 and need to set JSESSIONID cookie to be httpOnly. All of the answers on stackoverflow seem to refer to either Servlet 3.0 (which requires jetty 8) or to tomcat.

how to set JSESSIONID cookie as sucure using Spring security 2 and Apache Tomcat 7 setting

how to set JSESSIONID cookie as secure using Spring security 2 and Apache Tomcat 7 setting. have put in the code below in web.xml and it deosn’t seem to be working. <cookie-config> <secure&gt

How to disable JSESSIONID cookie-based (and any else) session-tracking features in jetty 9?

i wish to disable all kinds of session tracking features in Jetty 9 for my stateless- or manually maintained state Spring MVC application, but i failed to find any working examples showing how to do s

How to properly set JSESSIONID cookie path behind reverse proxy

My web app is running in tomcat at http://localhost:8080/example.com/ but it is being reverse proxied from apache that is serving up http://example.com/ on port 80. My web app looks at request.getHead

how to refresh JSESSIONID cookie after login

A product I work on got a tough security audit by a potential customer and they are upset that Tomcat sets a JSESSIONID cookie before authentication has happened. That is, Tomcat sets this cookie when

whether cookie will maintain same jsessionid when we send different requests from portlet server to remote web application server?

whether cookie will maintain same jsessionid when we send different requests from portlet server to remote web application server?

How to change Grails Spring Security Cookie Path

I’ve got two grails applications using spring security: Core Module (user and role tables mapping to Core db tables) I want to have a single sign on functionality using remember me. The problem is

Answers

Attempt #4 is on the right track.

Providing I am reading this right, you’re using the maven configuration on the context /app which means in your web.xml the / your settings is /app because that is the root of the context you’re configuring.

Put another way you can’t configure the session for www.foo.com/ if you are only deploying into the www.foo.com/app context, imagine if someone else were deploying apps into that url, you can’t just decide to make your session cookies apply to everyone operating under that url.