Skip to main content

Securing JSESSIONID cookie if tomcat is fronted by apache

In my previous post Creating a custom Valve in tomcat I descibed the valve solution I tried to secure the JSESSIONID cookie but it didnt worked so finally I had to patch the tomcat class to get it working. We are using tomcat 5.5.28 so I downloaded the source and modify the class apache-tomcat-5.5.24-src/container/catalina/src/share/org/apache/catalina/connector/ In addCookie method I had to add this code

 String cookieName = cookie.getName();
 if (request != null && "JSESSIONID".equals(cookieName)) {
    String clientId = request.getHeader("X-Forwarded-For");
    if (clientId != null) {

Then compile the code and replace the catalina.jar in tomcathome/server/lib


  1. Cool! Did you send patch back to ASF guys? :)

  2. no no its not a tomcat bug, but its the way we put apache/nginx in front of tomcat so that we don't want tomcat to handle SSL traffic. Apache handles SSL and by the time it reaches tomcat the request is no longer secure and thats why tomcat was not creating secure cookie. So it was a workaround to do it. This can also be used to set JSESSIONID a domain wide cookie in case you have diff tomcats using diff subdomain. I think newer tomcat may support this as an attribute already but we couldnt upgrade to new tomcat in this short timeframe.


Post a Comment

Popular posts from this blog

RabbitMQ java clients for beginners

Here is a sample of a consumer and producer example for RabbitMQ. The steps are
Download ErlangDownload Rabbit MQ ServerDownload Rabbit MQ Java client jarsCompile and run the below two class and you are done.
This sample create a Durable Exchange, Queue and a Message. You will have to start the consumer first before you start the for the first time.

For more information on AMQP, Exchanges, Queues, read this excellent tutorial
import com.rabbitmq.client.Connection; import com.rabbitmq.client.Channel; import com.rabbitmq.client.*; public class RabbitMQProducer { public static void main(String []args) throws Exception { ConnectionFactory factory = new ConnectionFactory(); factory.setUsername("guest"); factory.setPassword("guest"); factory.setVirtualHost("/"); factory.setHost(""); factory.setPort(5672); Conne…

Spring query timeout or transaction timeout

If you are using spring to manage transactions then you can specify default transaction timeout using

    <bean id="transactionManager"
        <property name="dataSource" ref="dataSource" />
        <property name="defaultTimeout" value="30" /> <!--30 sec--->             

or you can override the timeout in the annotation

    @Transactional(readOnly = false, timeout=30)

or if you are doing it programatic transactions then you can do

DataSourceTransactionManager transactionManager = new DataSourceTransactionManager(dataSource);

 or you can override the timeout for one particular transaction

TransactionTemplate transactionTemplate = new TransactionTemplate();

Python adding pid file

I have a thumbnail generator that launches multiple processes and the correct way to shut it down is to send kill -HUP to the parent process. To automate I had to write a pid file from python, it was a piece of cake
def writePidFile(): pid = str(os.getpid()) f = open('', 'w') f.write(pid) f.close()