Thursday, September 11, 2008

Session Tracking with SSL in WebLogic

When we are using SSL, there are two session ids and they are put in two separate cookies. _wl_authcookie_ is a secure cookie.
1) JSESSIONID
2) _wl_authcookie_
All SSL requests should contain both cookies otherwise the request will not be considered as authenticated. Non SSL (HTTP) requests needs to contain only the JSESSIONID cookie.
The sad thing is that WebLogic's implementation of URLConnection's 'getHeaderField("Set-Cookie")' returns only one cookie (whichever comes first). If you want to get both cookies you need to use 'getHeaderFields()' and look for the entry with key "Set-Cookie". To set cookie we need to use URLConnection.setRequestProperty("cookies") and we need to pass both cookies with semi colon (;) as separator.
If cookies are disabled then URL rewrite shall be used for session tracking. However you don't need to pass both cookies for SSL; only the JSESSIONID cookie will do. With SSL, URL rewrite will work only if either of the following is configured
1) EnableCookie=false in weblogic.xml
2) AuthCookieEnabled=false in config.xml

1 comment:

Dennis said...

Rejeev,

I just read your post. I'm trying to find out why I can't see the _wl_authcookie_ through a proxy when I intercept traffic. I'm doing security testing and I need to test session IDs. I was seeing only the JSESSIONID but then I ran WebInspect CookieCruncher and it showed me the _wl_authcookie_. How is it being passed and where do I find it?