I'd like to make session cookie domain-wide, and ignore subdomains - in
Tomcat 6. So for app reachable via my.site.com and www.site.com, I'd like to
have session cookie's domain be ".site.com". I thought of doing so using a
ServletResponseWrapper and a servlet Filter:
@Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException,
ServletException
{
if (!(response instanceof
SessionCookieDomainSettingServletResponseWrapper))
{
response = new
SessionCookieDomainSettingServletResponseWrapper((HttpServletResponse)
response);
}
chain.doFilter(request, response);
}
and in wrapper:
@Override
public void addCookie(Cookie cookie)
{
if (cookie != null && SESSION_COOKIE_NAME.equals(cookie.getName()))
{
// update domain name to just the domain
stripSubDomain(cookie);
}
super.addCookie(cookie);
}
However, JSESSIONID continues to be set to FQ host name ("my.site.com").
Is it because Tomcat internals do not use HttpServletResponse.addCookie() to
set JSESSIONID or is that cookie set before filter chain gets executed?
If so, sounds like Filter is (sadly) not applicable for this case, and I
have to create a custom Valve? Any tips on how to
wrap org.apache.catalina.connector.Response - valve.invoke() does not take
HttpServletResponse...
thanks
-nikita
