- All Implemented Interfaces:
- javax.servlet.Filter
public class JSessionIdNoCacheFilter
extends Object
implements javax.servlet.Filter
Sets the header "cache-control: no-cache" if the response contains the jsessionid. This is done for security reasons;
Web servers use session cookies to identify the active user sessions. Disclosing these session cookies to an
attacker can result in a session hijacking attack. With this in mind, session cookies should be treated as sensitive
data and should be well protected. With a secure cache-control policy in place, session cookies are typically stored
in the browser memory instead of flushed to the hard drive. When a browsing session is terminated, the corresponding
session cookies are deleted from the client machine. However, session cookies can also be kept in a cached web page.
For example, when a user login in a web site, the returned web page may contain session cookies in the “set-cookie”
response headers. If the “cache-control” header in this page is defined as “public”, all proxy servers and gateways
between the client and server are allowed to cache this page. Thus, the risk of exposing these sensitive session
cookies to an attacker is significantly increased. It’s recommended to change the cache-control header to secure
values, e.g., no-cache. Similar to a password, if an attacker steals the session cookies that represent a valid
user session, they can then use them to masquerade as victim users and access their personal data. If a victim user
has administrative privileges, then the security of entire web site is at risk.