Applet altering value of JSESSIONID cookie in Java 6 Update 29
895541Oct 20 2011 — edited Nov 14 2011After upgrading to Java 6 Update 29 (1.6.0_29) we started to encounter problems with users loosing their session in our web application once the user navigated to a page that contained an applet. The applet communicates with our server. We have traced the issue to a new value being set for the JSESSIONID cookie. This happens shortly after the applet loads. We also observed the same behavior when using the java.com website and its 'Verify Java Version' applet. (http://java.com/en/download/installed.jsp).
When using a previous version of Java (such as Update 22 or 27) we do NOT see this JSESSIONID altering issue. Downgrading the Java client version is our only known workaround.
Has anyone else experienced similar behavior since using update 29? Is this a new security feature or fix that was introduced in update 29?
We've also seen the following stack traces thrown in the client-side Java Console. Still trying to determine if they are more of a side effect or the root cause.
java.security.AccessControlException: access denied (com.sun.deploy.security.SecureCookiePermission origin.https://172.xxx.xxx.xxx:8443)
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
.....
java.io.IOException: Not in GZIP format
at java.util.zip.GZIPInputStream.readHeader(Unknown Source)
at java.util.zip.GZIPInputStream.<init>(Unknown Source)
at java.util.zip.GZIPInputStream.<init>(Unknown Source)
....