Secure authentication cookie

Raja_Kintali · October 28, 2016, 3:57am

Hi Guys,

I would like to make the authentication cookie secure. For that I added below config to application’s web.xml.


<session-config>
  	<cookie-config>
  		<secure>true</secure>
  	</cookie-config>
  </session-config>

Now after the successful login, I am not able to navigate to any other page. The application throws error javax.faces.application.ViewExpiredException.

It appears the MWS server is not validating the jsessionid on page navigation that is used to identify user’s session.

Do you have any thoughts on why jessionid is invalidated after successful login?

Stacktrace -
(javax.enterprise.resource.webcontainer.jsf.context:WARN) - javax.faces.application.ViewExpiredException: viewId:/page.xhtml - View /page.xhtml could not be restored
.
at com.sun.faces.lifecycle.RestoreViewPhase.execute(RestoreViewPhase.java:210)
at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:101)
at com.sun.faces.lifecycle.RestoreViewPhase.doPhase(RestoreViewPhase.java:121)
at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:198)
at com.webMethods.caf.faces.servlet.CAFFacesServlet.service(CAFFacesServlet.java:139)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:808)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:587)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:595)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at org.eclipse.jetty.server.Dispatcher.forward(Dispatcher.java:191)
at org.eclipse.jetty.server.Dispatcher.forward(Dispatcher.java:72)
at com.webMethods.portal.framework.presentation.renderers.DefaultRenderer.render(DefaultRenderer.java:324)
at com.webMethods.portal.framework.presentation.PresentationManager.handlePres(PresentationManager.java:434)
at com.webMethods.portal.framework.dispatch.DispatchManager.pres(DispatchManager.java:703)
at com.webMethods.portal.framework.dispatch.DispatchManager.handle(DispatchManager.java:533)
at com.webMethods.portal.framework.dispatch.DispatchManager.handleDispatch(DispatchManager.java:432)
at com.webMethods.portal.framework.impl.PortalServlet.service(PortalServlet.java:329)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)

Kind regards,
Raj

system · October 28, 2016, 4:33am

Per: [url]RFC 6265: HTTP State Management Mechanism

When a secure flag is used, then the cookie will only be sent over HTTPS, which is HTTP over SSL/TLS

Plus, I believe MWS would already set the secure flag for https connections without you doing anything special.

Raja_Kintali · October 28, 2016, 8:02am

Thanks Eric. It is clear to me now Yes I verified MWS by default is setting this flag on HTTPs.

Kind regards,
Raj

Topic		Replies	Views
Multiple MWS Instance _ Login Issue webMethods , webMethods-BPMS , MWS-CAF-Task-Engine	2	476	April 2, 2021
HTTP Header Authentication requires refresh webMethods , webMethods-BPMS , MWS-CAF-Task-Engine	2	4444	April 2, 2021
Setting cookie with ssnid to secure webMethods , Integration-Server-and-ESB , webMethods-Archive	1	2635	September 3, 2021
Maintaining session information for HTTP webMethods , webMethods-General , Integration-Server-and-ESB	8	7517	April 2, 2021
http to https webMethods , webMethods-BPMS , MWS-CAF-Task-Engine	2	877	April 2, 2021

Secure authentication cookie

Related Topics