StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PORemoving JSESSIONID in URL without using Filter and Wrapper
text
Body
copied!<p>I have created a <code>Filter</code> listening on an url-pattern of /* which replaces the <code>HttpServletRequest</code> with a <code>HttpServletRequestWrapper</code> implementation. </p> <p>I have a <code>Servlet</code> and in this <code>Servlet</code> am using <code>h:graphicImage</code> to render images fetching from <code>Apache</code> web server. </p> <p><code><h:graphicImage value="/locationInMyWebServer/myImage.jgp"></h:graphicImage></code></p> <p>When I hit the URL for accessing this page (containing image), the image was not getting displayed as <code>JSESSIONID</code> was getting appended to my image name. The URL that was getting formed was like below.</p> <p><code>http:/myDomain/myServlet/../myImage.jpg;JSESSIONID=ABCDEFGHIJKLMM</code></p> <p>Hence, I have used the <code>Filter</code> (more details about this filter is <a href="http://java.dzone.com/articles/java-jsessionid-harmful" rel="nofollow">here</a>) as stated in the beginning of my question. </p> <p>From this <code>Servlet</code> there is a link for logging in. When a User logs in, same <code>JSESSIONID</code> is getting retained even after authentication. Since, Session ID is same before logging in and after a user logs in, this is leading to Session-fixation attacks. </p> <p>How can I avoid using this filter and also solve my problem of <code>JSESSIONID</code> getting appended to images when I use <code>h:graphicImage</code> </p> <p><strong>PS:</strong> I can't use <code><img src></code> because my <code>h:graphicImage</code> is inside <code>h:commandLink</code></p> <p>Session Id was different before logging in and after logging in , before using this <code>Filter</code></p> <p><strong>I have added the relevant code below.</strong></p> <p>Below code is from my <code>web.xml</code> which has entry for <code>Filter</code></p> <pre><code><filter> <filter-name>URLSessionFilter</filter-name> <filter-class>myPackage.web.filter.URLSessionFilter</filter-class> </filter> <filter-mapping> <filter-name>URLSessionFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter> </code></pre> <p>Code in my <code>URLSessionFilter</code> is below,</p> <pre><code>public class URLSessionFilter implements Filter { public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { if (!(request instanceof HttpServletRequest)) { chain.doFilter(request, response); return; } HttpServletResponse httpResponse = (HttpServletResponse)response; HttpServletResponseWrapper wrappedResponse = new HttpServletResponseWrapper(httpResponse) { public String encodeRedirectUrl(String url) { return url; } public String encodeRedirectURL(String url) { return url; } public String encodeUrl(String url) { return url; } public String encodeURL(String url) { return url; } }; chain.doFilter(request, wrappedResponse); } public void init(FilterConfig filterConfig) { } public void destroy() { } } </code></pre> <p>There is a link in my Servlet on click of which login page will be displayed. Code is below,</p> <pre><code><h:commandLink action="#{myBean.myMethod}"> <h:graphicImage value="/myLocInWebserver/myImage.jpg"> </h:commandLink> </code></pre> <p>In <code>myBean.myMethod</code> , am doing some DB clean up activities and redirecting to login page.</p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload