I have a JSF 2.0 application, let's call it "MyApp", with a
SessionScoped bean that uses the below code to get the session and set the path on init...
HttpServletRequest request = (HttpServletRequest)FacesContext.getCurrentInstance().getExternalContext().getRequest(); //Get request from external context
HttpSession session = request.getSession(false); //Get session and don't create one if it doesn't exist
session.getServletContext().getSessionCookieConfig().setPath(""); //Set the path in the session's cookie
My problem is that the updated path ("") doesn't show up in the response session cookie,
JSESSIONID, until the second request to the application. The first request gets a
JSESSIONID cookie in the response with the default path, which includes the application's root context ("/MyApp"). If I reload the page, this second request will get a response with a
JSESSIONID cookie that includes the updated path ("").
I can't seem to find any documentation on when the default
JSESSIONID cookie is created and added to the response. I'm not sure if the updated session path is being set in the first response's
JSESSIONID cookie or if it's being set and overridden by the page's default
- When does the default JSESSIONID cookie get added to the response?
- Is it possible to disable the page's default JSESSIONID cookie from being created?
Best How To :
When does the default JSESSIONID cookie get added to the response?
When the HTTP session is created for the first time. E.g. when JSF needs to put a newly created session scoped bean in there. So if you're writing some code in such a bean which should manipulate the session, then you're basically already too late.
Your code snippet is also a strong evidence for it. If the session was really not created, then
request.getSession(false) would have returned
null and subsequently, calling
session.getServletContext() would have thrown a
NullPointerException and you'd have asked a very different question.
Is it possible to disable the page's default JSESSIONID cookie from being created?
I believe you're asking the wrong question. You actually want to ask how to set the session cookie path the right way.
You're supposed to configure the session cookie path in
web.xml as below:
If you really intend to do it programmatically for some unclear reason which is not elaborated in the question, then you should be doing this before the HTTP session is created for the first time. In other words, you should absolutely not be doing this in a session scoped JSF managed bean, nor be grabbing the needed
ServletContext from the
Most sensible place would be a servlet context listener or, if you really need it to be "JSF-ish", then an eagerly initialized application scoped bean. Please note that this is an application-wide setting, not a session-wide setting. It being a property of
ServletContext (and not of
HttpSession) already hints that. Thus, once you set it, it affects all newly created session cookies. Depending on the concrete functional requirement which you told nothing about, there may be better ways. E.g. an additional cookie.