X

Angelo Santagata's Blog

Getting rid of the JSESSIONID from the URL for ADF/Webcenter

Angelo Santagata
Architect

Today's short snippet 

Yesterday I had a call from a partner of mine who is implementing a system and they asked the curious question.. 

"Can we get rid of the JSESSIONID parameter from the URL line of a Webcenter application"..

My first thoughts were why?, its part of the session management of any J2EE application but it turns out that the security conscious client wants to make session high-jacking of a Webcenter application much harder and doesnt like the jsessionid on the url line..

Make sense,

Thankfully this is quite easy, Weblogic server has a parameter in the weblogic.xml file  which allows you the ability to control how sessions are managed and one of these is to force that the JSESSIONID token is force-ably implemented via cookies and not URL parameters. This obviously has the disadvantage that if the browser doesnt have cookies enabled then your application wont work...

Cookies however can also be intercepted/viewed too, so I also recommended that they rename the session cookie so that automated tools looking for JSESSIONID wont find it..

The weblogic.xml now looks like

  <session-descriptor>
    <cookie-name>MYAPPSESSID</cookie-name>
    <url-rewriting-enabled>false</url-rewriting-enabled>
  </session-descriptor> 

You can also set this from JDeveloper by editing your projects weblogic.xml file and using the "overview" mode of the wizard.

 

Obviously the best next thing is to ensure all communication is also SSL encrypted.

Join the discussion

Comments ( 3 )
  • Jaseer Abubakar Wednesday, February 6, 2013

    Thanks, this was useful for us in our project


  • guest Wednesday, April 3, 2013

    Are there any "security" benefits to this in conjunction with Discoverer Viewer/Plus?? We already have SSL enabled for Discoverer in a non-SSO environment. On a related note, is there a way to make Discoverer related "cookies" more "secure"??


  • LUIS RODRIGUEZ Wednesday, June 12, 2013

    Interesting hint, thanks. Do you know if there is anyway of disable it by default for all the deployed applications? See https://forums.oracle.com/thread/2549398


Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.