{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 做自己的国王 的问题《JBoss 5: Use secure and httpOnly cookies and hide》','https://www.manongdao.com/q-1134119.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I am using JBoss EAP 5.2. In order to use httpOnly and secure cookies I change context.xml file adding:
<Context cookies="true" crossContext="true" >
<SessionCookie secure="true" httpOnly="true" />
....
But now I can see the jsessionid in the URL in all requests. So in order to hide it I wrote a filter as suggested in RedHat's website (https://access.redhat.com/solutions/16169)
public class JsessionIdRemoveFilter implements Filter {
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
throws IOException, ServletException {
if (!(req instanceof HttpServletRequest)) {
chain.doFilter(req, res);
return;
}
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
// Redirect requests with JSESSIONID in URL to clean version (old links bookmarked/stored by bots)
// This is ONLY triggered if the request did not also contain a JSESSIONID cookie! Which should be fine for bots...
if (request.isRequestedSessionIdFromURL()) {
String url = request.getRequestURL()
.append(request.getQueryString() != null ? "?"+request.getQueryString() : "")
.toString();
response.setHeader("Location", url);
response.sendError(HttpServletResponse.SC_MOVED_PERMANENTLY);
return;
}
// Prevent rendering of JSESSIONID in URLs for all outgoing links
HttpServletResponseWrapper wrappedResponse =
new HttpServletResponseWrapper(response) {
@Override
public String encodeRedirectUrl(String url) {
return url;
}
@Override
public String encodeRedirectURL(String url) {
return url;
}
@Override
public String encodeUrl(String url) {
return url;
}
@Override
public String encodeURL(String url) {
return url;
}
};
chain.doFilter(req, wrappedResponse);
}
public void destroy() {
}
public void init(FilterConfig arg0) throws ServletException {
}
}
But now I cannot login, I get an exception: javax.faces.application.ViewExpiredException
What am I missing? Please help
In order to use secure=true, a certificate needs to be installed so the requests go through https