Hi Gurus,
I am using NW AS Java 7.3. I have a problem with the jsessionid as is not renew when a new session is created when a HTTP request with a URL contains the jsessionid. I have created a simple test case:
HTTP request (GET):
http://127.0.0.1:50000/login.do;jsessionid=gYArgRJKi-vPaGaS5Pm6FJ0rBFiiPwGK8H8A_SAPEnAYRDDZbFI4us7UI9Xyyn;saplb_*=(J2EE8114620)8114650
Login.java:
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
response.setContentType("text/html");
PrintWriter out = response.getWriter();
out.println("<html><body>Logging on");
HttpSession session = request.getSession(false);
if (session != null) {
session.invalidate();
}
out.println("</p>request.getSession(true);</p>");
session = request.getSession(true);
out.println("</p>session.getId()=</p>" + session.getId());
out.println("</body></html>");
}
Result:
Logging on
request.getSession(true);
session.getId()=
gYArgRJKi-vPaGaS5Pm6FJ0rBFiiPwGK8H8A_SAP
Meaning with the same URL, the exact same jsessionid (gYArgRJKi-vPaGaS5Pm6FJ0rBFiiPwGK8H8A_SAP) will be created always. Additionally, my business requirement requires to always use URL session tracking. Hence, I have web-j2ee-engine.xml:
<url-session-tracking>true</url-session-tracking>
I have checked SAP note 1310561. It states that such session fixation issue have been resolved in NW 7.3. How to have the jsessionid renew when a session is created even though it is jsessionid is specified in the URL and url session tracking is always enabled?
Or it is the SessionIdRegenerationEnabled is not applicable to 'url-session-tracking = true' scenario?
Thanks a lot first. Any help will be appreciated greatly.