(Note, this has nothing to do with the JSS SSO Plugin - it's morphed into a BMC Mid Tier defect.)
Abhijit, Not only is this thread months old, your response is wrong. > The Container is adding a Cookie with the default Context Path as “/” which > is referred as the poison Cookie in > this thread. Mid-Tier sets JSessionID Cookie marked as HTTPOnly with the > right Context Path. Neither Mid Tier or any other Java web application should set a JSESSIONID cookie. 1. The session cookie may not be called JSESSIONID. 2. The container manages the session cookie so the web application does not have to. > This is a settings issue and not a defect in the Product functionality. It isn't a settings issue. It's a "developer doesn't understand Java web application / hasn't a clue" issue, because the developer decided to start managing the JSESSIONID cookie. The fault is in the application, which had not been adequately tested with the container (Weblogic), because Weblogic/Websphere/others assign session cookies to / not /contextpath. Sure, it's not super design - it's actually pretty poor, actually. But it's still wrong to suggest the fault lies anywhere other than Mid Tier. And here's the reason someone has hard coded the session cookie in Mid Tier. Someone ran a 'security scanner' over Mid Tier and noticed the lack of HttpOnly cookies, something that could only be set in Java Servlet specification version 3 and hence is not implemented on most Tomcats deployed in the BMC world. Therefore, some developer decided to hard code the JSESSIONID cookie name with HttpOnly in Mid Tier code and introduced the defect. John _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"