Closed GoogleCodeExporter closed 9 years ago
First, you should note that disabling session cookies could cause a security
problem, by leaking session id.
For example:
http://seckb.yehg.net/2012/06/httponly-session-id-in-url-and-page.html
If you don't care about that security problem, then a workaround to this issue
would be to add the javamelody ReportServlet in your webapp. For this, just add
the following in the WEB-INF/web.xml file of your webapp:
<servlet>
<servlet-name>monitoringServlet</servlet-name>
<servlet-class>net.bull.javamelody.ReportServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>monitoringServlet</servlet-name>
<url-pattern>/monitoring</url-pattern>
</servlet-mapping>
You can change the url-pattern above to anything you want, provided that you
use the same path in your browser to access the reports.
Original comment by evernat@free.fr
on 22 Dec 2014 at 2:17
We are aware of the problem with session ids in URLs. But we use them in
combination with a security token inside a HttpOnly cookie. So an attacker
would need both, the session id from the url and the token from the cookie, to
access our page.
Thanks for the hint with the ReportServlet. It works now.
Maybe this Servlet could be documented somewhere? I searched in the user guide
and user guide advanced for ReportServlet but did not find anything.
Original comment by daniel.f...@gmail.com
on 24 Dec 2014 at 6:44
I have now documented the ReportServlet at:
https://code.google.com/p/javamelody/wiki/UserGuideAdvanced#Using_a_servlet_to_d
isplay_the_monitoring_reports
(And I will not change the code, to strip possible sessionIds from the
requestUri, because I think that it is a very rare case and it's better to keep
performance overhead as low as possible.)
Original comment by evernat@free.fr
on 10 Jan 2015 at 7:10
Original issue reported on code.google.com by
daniel.f...@gmail.com
on 22 Dec 2014 at 1:02