How to properly set JSESSIONID cookie path behind reverse proxy
-
14-11-2019 - |
Question
My web app is running in Tomcat at http://localhost:8080/example.com/
but it is being reverse proxied from Apache that is serving up http://example.com/
on port 80. My web app looks at the request.getHeader("x-forwarded-host")
header to know that it is behind a reverse proxy. When it detects this (dynamically) it builds URLs without the servlet path on them.
This works fine for everything except for the JSESSIONID cookie. It gets set with a path of /example.com
instead of /
when it is accessed through the reverse proxy. I can't figure out how I can have my code tell Tomcat to override the path for that cookie when there is a x-forwarded-host
header on the request.
I've tried setting the JSESSIONID cookie from the web app myself, but that just results in two Set-Cookie headers, only one of which is correct.
Solution
Tomcat6 uses the Servlet 2.3 spec. It does not support changing the cookie path either through code or Tomcat configuration.
I got it to work from the Apache side with some mod_proxy
directives. The ProxyPassReverseCookiePath
directive does exactly what I want. It takes the cookie from Tomcat with the incorrect path and rewrites it to the correct path.
<VirtualHost *:*>
Servername example.com
ProxyRequests Off
ProxyPass / http://localhost:8080/example.com/
ProxyPassReverseCookiePath /example.com /
ProxyPassReverseCookieDomain localhost example.com
</VirtualHost>
OTHER TIPS
Alternatively set the attribute sessionCookiePath of the node /Context (file: /conf/context.xml) to "/":
<Context sessionCookiePath="/">
Have a look at: http://tomcat.apache.org/tomcat-7.0-doc/config/context.html for more info
Version 3.0 of the Servlet spec introduced functionality for controlling the session cookie: http://docs.oracle.com/javaee/6/api/javax/servlet/ServletContext.html#getSessionCookieConfig()
SessionCookieConfig scc = getServletContext().getSessionCookieConfig();
scc.setPath("/");
scc.setDomain("example.com");
Tomcat 7 uses version 3 of the Servlet specification.