Monday, November 25, 2013

Java EE 7 Tip of the Day: Programmatic Control of Session Tracking with ServletContextListener

Have you ever had a developer modify a web.xml file to change session configuration? Have they forgotten to change it back from "developer mode" back to "deployment mode"? I am sure all of you have done something like that at some point in time. I am no exception. This tip of the day comes from that very issue.

The issue here is that we want to control session tracking. In the web.xml file you may have something that looks like:

OK, let me re-phrase that. You were expecting that, but instead you have:
This is a problem. You see we are trying to be more secure around our session and having the JSESSIONID in the URL is not helping much with that. Well, we can perhaps keep our application safe, and frustrate our developer slightly if he doesn't figure out this little bit of magic. We can control the session tracking programmatically in an "obvious" well-known location. We can enlist a ServletContextListener to help us.

The ServletContextListener can help us by listening for when our application is being initialized, and set the session tracking back to COOKIE for us.  The implementation is simple, and will help foil the "developer mode-itis" that sometimes infects the code.

Note: Even if you didn't have a value set in the web.xml file, this would set it to COOKIE.