Skip to main content

Glassfish cluster JSESSIONIDVERSION and JREPLICA cookies secure flag lost

Please note these forums are being decommissioned and use the new and improved forums at
No replies
Joined: 2014-05-20


I have a problem with environment where sub domain traffic is routed from LB to clustered back end. The problem comes with setup where e.g. is proxied to glassfish application with document root set to e.g. /applicationX. replies only for https requests and http is redirected by LB to https. So end result is that will reply with application generated content without disclosing application context root applicationX.

This opens a problem that session cookies like JSESSIONID cannot work if cookie path is not changed. In this case it is changed to / making it match with domain where cookie is used. Cookie configuration defines that session cookies are http only and secure. That is done in web.xml.

The problem now is that JSESSIONIDVERSION and JREPLICA cookies created by Availability will lose Secure status of the cookie. That seem to happen when either session cookie path is changed from context-root path to / or when context-root itself is defined to be /. When there is a context-root set for any name and session cookie path configuration is not changed, secure status is set for JSESSIONIDVERSION and JREPLICA. JSESSIONID cookie secure status is always set properly regardless cookie path change or context-root change.

Question is from where this special treatment comes for application which context-root is set to root itself? Second question is that from where I can change / force JSESSIONIDVERSION and JREPLICA to have Secure flag set even if cookie path is changed?

Side note: For some reason when I call with curl -i ... secure status is there for all of the cookies set but e.g. firefox nor chrome doesn't get version nor replica cookies with secure status.