12

We migrated our application from JBoss 5 to JBoss6 and one of the main reasons for this is to make use of the new features of servlet 3.0. Everything works fine apart from one new feature of JBoss 6 and servlet 3.0: setting the session cookie to only be transferred through secure channel even if the request was made through plain HTTP. This is a very important security feature for us and is achieved by adding 

<secure>true</secure>

in web.xml. This is part of our web.xml:

<session-config>
<session-timeout>25</session-timeout>
<cookie-config>
    <http-only>true</http-only>
    <secure>true</secure>
</cookie-config>
<tracking-mode>COOKIE</tracking-mode>

When we remove the

<secure>true</secure>

everything works fine. When it is there, there is a new jsessionid generated for each request even when being on a secure page (HTTPS) or in an unsecured page (HTTP). Also, the login does not work since after login with secure credentials the user is redirected back to the login page.

I suppose this might be also an issue with Tomcat 7 since it also uses the servlet 3.0 spec. Any advice would be much appreciated.

Regards

skaffman
  • 381,978
  • 94
  • 789
  • 754
Alex
  • 616
  • 1
  • 12
  • 26
  • 3
    Forgive me offtopic, but IMHO JBoss AS 6 is almost as buggy as 5. Be carefull. Just look at the JIRA tickets with status `closed` and `won't fix`. Why not JBoss AS 7? – G. Demecki Jan 27 '14 at 14:45
  • 2
    @GrzesiekD thanks for your comment. We have in fact migrated to 7 now. This question is now almost 2 years old. – Alex Jan 28 '14 at 15:25
  • Yes, you're right. I noticed this after posting a comment. Mea culpa. – G. Demecki Jan 29 '14 at 16:39
  • @Alex: have you found any solution? If so, please post in as answer to help future visitors. – Mohammad Faisal Aug 13 '14 at 04:52
  • @MohammadFaisal we did not fix this issue and we did not make use of the `true` feature at all. When migrated to JBoss AS 7 once it was released. – Alex Aug 14 '14 at 07:23
  • @Alex I don't know which specific version of JBoss you were using at the time, but using JBoss 6.1.0 Final (the latest available) I was able to configure the desired security properly, just as you described. I am confident it was a buggy version/library or configuration problem. I wasn't able to simulate your situation. We also have some JBoss 6.1 still working in one customer and that configuration works fine. I am sorry I was too late to answer this question earlier. – Evandro Pomatti Jan 22 '15 at 00:36

1 Answers1

2

According to the HTTP Specification:

Secure

Optional. The Secure attribute (with no value) directs the user agent to use only (unspecified) secure means to contact the origin server whenever it sends back this cookie.

The user agent (possibly under the user's control) may determine what level of security it considers appropriate for "secure" cookies. The Secure attribute should be considered security advice from the server to the user agent, indicating that it is in the session's interest to protect the cookie contents.

It means that specification leaves it open to the browser (user agent) to defined what is "secure".

The Secure element in the web.xml is a reference for the HTTP Cookie Secure property, and you can track that value with your browser's debug tool.

If the communication is not "secure", the browser won't send the received cookie to the server on the following requests.

The problem is not JBoss always returning new cookies, but the browser that is not sending it back because communiation is unsecure. JBoss then creates a new session for every request.

It is very clear that for non-encrypted communication (not HTTPS) the browser won't send the cookie, this is expected since you are marking the cookie as secure = true.

But, even if you are using HTTPS, the "secure" is relative to the browser concept of security, for example:

  • Certificate can be expired
  • Certificate is self-signed
  • You are using a hostname different from the one who signed the certificate

These and other security problems can happen using TLS, meaning the communication is not secure.

The problem must be with your SSL/TLS or Cookie configuration, which means you have to check what you have done and isole the problem. I don't think there is any bug in JBoss or JBossWeb (Tomcat 6 fork) causing it, and for sure it is not a specification error.

I was able to configure a JBoss 6.1.0 Final with TLS and with your web.xml configuration, and everything worked as expected.

I suggest you to double-check your configuration, browser debug and alerts.

Evandro Pomatti
  • 7,960
  • 11
  • 56
  • 111