Http 400 error when cookie-config is made secure

Question

In my Spring(3.1) MVC web application(servlet 3.0) i have following href link in one of the JSP-s:

<a href="./edit_account?id=${account.accountId}">
<i class="icon-th-list"></i>${account.accountId} ${program.customer} </a>

It used to work properly whenever user clicks on above link on the web page, edit_account used to get appended to application url and used to reach corresponding method within Controller class. Now due to security reasons, I had to make all cookies secure and http-only. Hence added following snippet in web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="http://java.sun.com/xml/ns/javaee 
          http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
          version="3.0">   

  <session-config>

        <cookie-config>     
        <http-only>true</http-only>
        <secure>true</secure>   
        </cookie-config>

  </session-config>

</web-app>

After adding above, none of the clicks(href in all JSP-s) working. Following Error is thrown at web page, however j_session_id is showing up on the Url.

Http 400 description The request sent by the client was syntactically incorrect.

in all my JSP-s, session is true.

Can somebody please help me what changes I need to do make so that all the flows working even after adding above snippet in web.xml?

Answer 1

If you enable secure flag, this means your browser is not allowed to send jsessionId over cookies in the request header back to your server. Therefore IF you try to connect your server over HTTP (instead of HTTPS) the jsessionId cannot be sent over cookies in the http request and must be included into your url links so that the servlet can somehow track the users session.

To solve this isseu, you have to use HTTPS by default.

P.S: Actually links with jsessionId shouldn't be a problem. Please check the URL syntax it should be like this http://www.example.org/some_path;jessionid=d398jdsjnck398.1?paramater_name=parameter_value . If the ;jessionid is always at the end of the URL then it may be an indicator that the links are incorrectly generated. A possible reason for that may be that misuse of tag.