Jetty 7 will not allow me to customize a session cookie path

Using Jetty 7.0.2, I am unable to set a custom session cookie path.

I am hosting multiple sites on the same server using apache to proxy requests to the proper context. (replaced http as htp as stackoverflow thinks my multiple links might be spam)

<VirtualHost *:80>
  ServerName context.domain.com

  ProxyRequests On
  ProxyPreserveHost Off

  <Proxy *:80>
    Order deny,allow
    开发者_运维问答Allow from 127.0.0.1
  </Proxy>

  ProxyPass / htp://localhost:8080/context/
  ProxyPassReverse / htp://localhost:8080/context/

  <Location />
    Order allow,deny
    Allow from all
  </Location>
</VirtualHost>

Jetty is running on the same server on port 8080 and my context is available @ /context

The user accesses the application @ htp://context.domain.com but jetty is setting the path for the session cookie @ /context. This prevents the browser from accessing the cookie since the the actual path to the context is not being used. I need to override Jetty's default setting to set the cookie for the context, and set the path at the root ( / ).

In my Jetty's webdefault.xml I have the following, which is partially working:

<context-param>
  <param-name>org.eclipse.jetty.servlet.SessionCookie</param-name>
  <param-value>CustomCookieName</param-value>
</context-param>
<context-param>
  <param-name>org.eclipse.jetty.servlet.SessionPath</param-name>
  <param-value>/</param-value>
</context-param>

The cookie is properly set with a custom name, but it is NOT setting the SessionPath. No matter what I set the value to... it refuses to set a cookie at any path but /context.

This has been driving me crazy so any help would be greatly appreciated.

Sounds like you've hit this bug, causing Jetty to always use the context path for session cookies.

I'm not as familar with Jetty but it sounds like at some point the client is accessing /Context which is where the cookie is being generated. I would double check the code and be sure that your cookie isn't being generated at the /Context of your site. It doesn't matter that your user is connecting to the domain root, the cookie doesn't look at where your user is connecting at, it looks at where the cookie is generated from.

If your cookie is generated from /Context your user could even access htp://foobar.domain.com it would still look like it's coming from /Context because thats where it's generated from. The only way around it is to generate the cookie at the root level and not on pages from the /Context area. This is to prevent cookie monsters from stealing cookie information from sites it doesn't belong too (if you host on your site on foo.yahoo.com and create a cookie this would keep a different site you don't own (bar.yahoo.com) from looking at your cookie. this is by design.