Today's short snippet
Yesterday I had a call from a partner of mine who is implementing a system and they asked the curious question..
"Can we get rid of the JSESSIONID parameter from the URL line of a Webcenter application"..
My first thoughts were why?, its part of the session management of any J2EE application but it turns out that the security conscious client wants to make session high-jacking of a Webcenter application much harder and doesnt like the jsessionid on the url line..
Thankfully this is quite easy, Weblogic server has a parameter in the weblogic.xml file which allows you the ability to control how sessions are managed and one of these is to force that the JSESSIONID token is force-ably implemented via cookies and not URL parameters. This obviously has the disadvantage that if the browser doesnt have cookies enabled then your application wont work...
Cookies however can also be intercepted/viewed too, so I also recommended that they rename the session cookie so that automated tools looking for JSESSIONID wont find it..
The weblogic.xml now looks like
You can also set this from JDeveloper by editing your projects weblogic.xml file and using the "overview" mode of the wizard.
Obviously the best next thing is to ensure all communication is also SSL encrypted.