JSESSIONID cookie exposed to non-secure pages after being set in a secure page
Posted on 2006-03-30
Requests to my application are handled in two ways: 1. Requests to static pages (i.e. .html, .jpg, etc) are processed by an iPlanet server using the non-secure http protocol. 2. Requests to dynamic pages (i.e. .do, .jsp, etc.) are processed by a Weblogic server using the secure https protocol. Dynamic pages require a session to be established with clients using the JSESSIONID cookie. The problem is after a user accesses a dynamic page and the session id is set on the client computer, he/she then tries to access a static page which exposes the session id.
I have attempted a fix where a filter on the iPlanet server expires the JSESSIONID cookie when a static pages is accessed, but this solution only works with Internet Explorer.