Tags
People
Badges
Help-
CORE FRAMEWORK
FEATURED COMPONENTS
-
RESOURCES
-
LEARN ZK
RESOURCES
I'm wondering how I can add the secure and httponly flags to jsessionid. I've tried adding the lines:
<session-config>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
</session-config>
to both the web.xml and/or zk.xml files in my WEB-INF directory. This seems to have no effect.
What is the correct way to do this?
Thanks!
According to the documentation the zk.xml doesn't have any <cookie-config>-element. So any attempt in zk.xml won't have any effect (no need to try).
Using web.xml worked on my side:
Still the application works with or without HTTPS (so the effect is not instantly visible) However the expected effect becomes visible in the browser's developer tools -> only creates the cookie when running under HTTPS.
So a few questions from my side:
What kind of "effect" did you expect?
Did you configure your web.xml to use at least the servlet 3 spec (as mentioned here)?
Does your Jetty version support servlet spec 3.0 or above? -> Which jetty version do you use?
Asked: 2018-05-11 02:11:23 +0800
Seen: 7 times
Last updated: May 14 '18