0

Secure jsessionid with secure, httponly flags, jetty web server

asked 2018-05-11 02:11:23 +0800

ChrisDMac gravatar image ChrisDMac
1

updated 2018-05-14 15:50:44 +0800

cor3000 gravatar image cor3000
3922 1 7
ZK Team

I'm wondering how I can add the secure and httponly flags to jsessionid. I've tried adding the lines:

<session-config>
  <cookie-config>
    <http-only>true</http-only>
    <secure>true</secure>
  </cookie-config>
</session-config>

to both the web.xml and/or zk.xml files in my WEB-INF directory. This seems to have no effect.

What is the correct way to do this?

Thanks!

delete flag offensive retag edit

1 Answer

Sort by » oldest newest most voted
0

answered 2018-05-14 16:19:16 +0800

cor3000 gravatar image cor3000
3922 1 7
ZK Team

According to the documentation the zk.xml doesn't have any <cookie-config>-element. So any attempt in zk.xml won't have any effect (no need to try).

Using web.xml worked on my side:

  • the JSESSIONID cookie was only returned/stored for HTTPS connections
  • non-secure HTTP connections used the URL rewriting fallback

Still the application works with or without HTTPS (so the effect is not instantly visible) However the expected effect becomes visible in the browser's developer tools -> only creates the cookie when running under HTTPS.

So a few questions from my side:

What kind of "effect" did you expect?

Did you configure your web.xml to use at least the servlet 3 spec (as mentioned here)?

Does your Jetty version support servlet spec 3.0 or above? -> Which jetty version do you use?

link publish delete flag offensive edit
Your answer
Please start posting your answer anonymously - your answer will be saved within the current session and published after you log in or create a new account. Please try to give a substantial answer, for discussions, please use comments and please do remember to vote (after you log in)!

[hide preview]

Question tools

Follow
2 followers

RSS

Stats

Asked: 2018-05-11 02:11:23 +0800

Seen: 3 times

Last updated: May 14