1

I use Dojo to make XHR requests to a Java Servlet and I can't figure out how to get the value of the JESSIONID cookie returned to me in the response header.

I need the session ID so I can use it within another web application (Flex) whose requests should use the same HttpSession (within the servlet) as for the initial web page requests.

My servlet container is Tomcat7 and I already configured the config.xml of my webApp with the useHttpOnly="false" setting so that the cookie should be available. However I just can't figure out how to extract it, dojo/cookie only gives me the cookies for the current page, not the HTTP request I just made.

Thanks.

greenkarmic
  • 429
  • 4
  • 17
  • In case the session ID is set to `http only`, you won't be able to extract it. Btw: you do not **want** to do this because of session hijacking security issues... – home Oct 11 '13 at 17:26
  • I know, I asked this [question](http://stackoverflow.com/questions/19283375/servlet-session-without-cookies-ajax-requests-that-only-return-json/19292294#19292294) yesterday and unless I use SSL I don't beleive I have a choice since my requests only return JSON content and so I can't use URL Rewriting. So if I can't use URL Rewriting and I can't use SSL (we don't use HTTPS) then I think session cookies is the only remaining option to maintain the session. The application is to be used within an intranet, so I'm hoping the risk is minimal. – greenkarmic Oct 11 '13 at 17:45

1 Answers1

1

Why do you think you need to access the cookie yourself? The browser is responsible for handling cookies automatically. From the spec:

If the user agent supports HTTP State Management it should persist, discard and send cookies (as received in the Set-Cookie response header, and sent in the Cookie header) as applicable.

Also, it is forbidden to attempt to retrieve the Set-Cookie header of an XHR request response.

In short: You can’t do what you are doing, and you shouldn’t have to. Flash uses the cookies from the browser when making requests, so long as it is properly configured. So, assuming the XHR sets the cookie first, Flash should also send it.

Community
  • 1
  • 1
C Snover
  • 17,908
  • 5
  • 29
  • 39
  • Indeed, after a few days and further reading I understand these concepts a lot better. The reason I wanted to do this is because my initial web page was making the initial ajax request to the servlet, at which point the session was created. But then, after later loading a separate Flex application I wanted to keep using this same session, I wanted to tell the Flex application the session id that so it could use the same servlet session as the initial web page. Anyway, I hit more hurdles using cookies. Here's what I did instead. – greenkarmic Oct 16 '13 at 20:03
  • 1) deactivate session cookies in the servlet config.xml 2) Manually return the session id to the initial web page in the JSON response of the first request. 3) Load the Flex application in an iframe within the page, including the jsessionid within as query string parameter in the Flex application URL. 4) Within the Flex application, add ;jessionid=123... to the URL for all requests to the servlet. 5) If the servlet does not recognize the session id, it tells the Flex application, which then kicks back the user to the initial web page using navigateToURL(myURL, "_top"); – greenkarmic Oct 16 '13 at 20:08