Geek asks and answers

How to mark cookie cookie as secure (https only) in tomcat 6

I did a lot for googeling and did not find an answer. I tried to install the following in the web.xml file in the war without any impact:

<session-config>
        <session-timeout>60</session-timeout>
        <cookie-config>
            <http-only>true</http-only>
            <secure>true</secure>
        </cookie-config>
    </session-config>

Adding useHttpOnly to the tomcat context.xml file works to restrict only http cookies, but I still need to make them safe.

+5
source share
1 answer

You do not have to do anything. As long as the request starting with the session, httpsTomcat marks the session cookie as secure.

I also looked to see if there was anything that officially documented this fact, but I could not find it. But this behavior, at least Tomcat 6.0.32 and higher.

org/apache/catalina/connector/Request.java, , , , secure cookie:

/**
 * Configures the given JSESSIONID cookie.
 *
 * @param cookie The JSESSIONID cookie to be configured
 */
protected void configureSessionCookie(Cookie cookie) {
    cookie.setMaxAge(-1);

    Context ctxt = getContext();

    String contextPath = null;
    if (ctxt != null && !getConnector().getEmptySessionPath()) {
        if (ctxt.getSessionCookiePath() != null) {
            contextPath = ctxt.getSessionCookiePath();
        } else {
            contextPath = ctxt.getEncodedPath();
        }
    }
    if ((contextPath != null) && (contextPath.length() > 0)) {
        cookie.setPath(contextPath);
    } else {
        cookie.setPath("/");
    }

    if (ctxt != null && ctxt.getSessionCookieDomain() != null) {
        cookie.setDomain(ctxt.getSessionCookieDomain());
    }

    if (isSecure()) {
        cookie.setSecure(true);
    }
}

UPDATE: , .., 'secure' JSESSION id cookie

+4

More articles:


All Articles