When does app engine set the cookie JSESSIONID

[b...@soliduslink.com]

Hi,

https://groups.google.com/forum/#!topic/google-appengine/0luWnYACBlQ

According to this post. The App Engine set the cookie JSESSIONID after request.getSession() is called. But when exactly? Is it done by a internal filter?

What if I set the JESSIONID myself right after a new session is created? Will App Engine try to overwrite my cookie or it will just skip creating one?

Best,
Baojun

[Katayoon (Cloud Platform Support)]

The App Engine only provides the content for your app using Jetty. Session gets created when you call request.getSession() for the first time and consequently JSESSIONID cookie is created when the session is created. Hope this explanation works for you?

[Baojun Xu]

Good to know that JSESSIONID cookie is created by Jetty. Is there a way to add a HTTPONLY flag on this cookie? I tried to add the JSESSIONID cookie right after the request.getSession() method manually. Do you think it would be overwritten by jetty?

On Wed, Jun 6, 2018 at 10:47 PM, 'Katayoon (Cloud Platform Support)' via Google App Engine <google-a...@googlegroups.com> wrote:

The App Engine only provides the content for your app using Jetty. Session gets created when you call request.getSession() for the first time and consequently JSESSIONID cookie is created when the session is created. Hope this explanation works for you?

--
You received this message because you are subscribed to the Google Groups "Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-appengine+unsubscribe@googlegroups.com.
To post to this group, send email to google-appengine@googlegroups.com.
Visit this group at https://groups.google.com/group/google-appengine.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/8d2af3bc-a494-4eee-9e91-f4d52c50c6bc%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Baojun Xu

Tel: +41 79 791 78 99

SolidusLink AG

Rütistrasse 16

8952 Schlieren

[Katayoon (Cloud Platform Support)]

You can add it by implementing a filter. Here, you may find a sample on how to implement a security filter which can be applied for HttpOnly similarly. For any question on Jetty, I recommend that you post your question in the respective community group.

[Baojun Xu]

I do have a filter for this purpose. It's configured in the method configureServlets(). Is it any different than configuring it in web.xml?

On Mon, Jun 11, 2018 at 9:58 PM, 'Katayoon (Cloud Platform Support)' via Google App Engine <google-a...@googlegroups.com> wrote:

You can add it by implementing a filter. Here, you may find a sample on how to implement a security filter which can be applied for HttpOnly similarly. For any question on Jetty, I recommend that you post your question in the respective community group.

--
You received this message because you are subscribed to the Google Groups "Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-appengine+unsubscribe@googlegroups.com.
To post to this group, send email to google-appengine@googlegroups.com.
Visit this group at https://groups.google.com/group/google-appengine.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/f94083b3-4452-49e5-a0a1-d9006912778a%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Katayoon (Cloud Platform Support)]

I recommend that you post your full detailed question to Stack Overflow since Google Groups are reserved for general Google Cloud Platform-end product discussions and not for technical questions.