My Oracle Support Banner

OC4J JVM Routing Does not Work When JSessionId Cookie is Generated from Custom Filter (Doc ID 1177103.1)

Last updated on JULY 03, 2020

Applies to:

Oracle Containers for J2EE - Version and later
Information in this document applies to any platform.
Archived and limited distribution, as the contents is overridden by Note 1586861.1: Security Advisory: Configure OC4J Startup Option to Enable HTTPOnly for HTTP Session Cookie


Wanting to set the "secure" and "httponly" flags for the session cookie, a servlet filter like the following has been created:

public final void doFilter(ServletRequest servletRequest,
                           ServletResponse servletResponse,
                           FilterChain filterChain)
        throws IOException, ServletException {

    HttpServletRequest request = (HttpServletRequest) servletRequest;
    HttpServletResponse response = (HttpServletResponse) servletResponse;

    if (!response.containsHeader("SET-COOKIE")) {
        String sessionId = request.getSession().getId();
        String contextPath = request.getContextPath();
        String secure = "";
        if (request.isSecure()) {
            secure = "; Secure";
        response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionId
                           + "; Path=" + contextPath + "; HttpOnly" + secure);

    filterChain.doFilter(servletRequest, response);

This works quite well as long as the OC4J instance consists of only one process, but when running in a cluster with multiple processes/nodes, the" jvmroute"-information is not contained in the so-generated cookie, and thus the session is lost because the mod_oc4j cannot route to the correct OC4J node/process.


To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.