Forums

Home » Liferay Portal » English » 3. Development

Combination View Flat View Tree View
Threads [ Previous | Next ]
toggle
Alireza Zare
Setting HttpOnly and secure cookie flags in Liferay?
October 4, 2012 12:18 AM
Answer

Alireza Zare

Rank: Regular Member

Posts: 110

Join Date: September 3, 2010

Recent Posts

Does anyone know how to set HttpOnly and secure cookie flas in Liferay?
Alireza Zare
RE: Setting HttpOnly and secure cookie flags in Liferay?
October 4, 2012 1:30 AM
Answer

Alireza Zare

Rank: Regular Member

Posts: 110

Join Date: September 3, 2010

Recent Posts

Can anyone confirm that one of the following methods will work for Liferay:

a. The httpOnly functionality can be enabled for all webapps in conf/context.xml:

<Context useHttpOnly="true">
...
</Context>

b. Writing a servlet filter to overwrite the session cookie:

private void rewriteCookieToHeader(HttpServletRequest request, HttpServletResponse response) {
if (response.containsHeader("SET-COOKIE")) {
String sessionid = request.getSession().getId();
String contextPath = request.getContextPath();
String secure = "";
if (request.isSecure()) {
secure = "; Secure";
}
response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid
+ "; Path=" + contextPath + "; HttpOnly" + secure);
}
}
Jason Roscoe
RE: Setting HttpOnly and secure cookie flags in Liferay?
November 20, 2012 6:37 AM
Answer

Jason Roscoe

Rank: Junior Member

Posts: 83

Join Date: October 23, 2008

Recent Posts

I believe that will work for the JSESSIONID cookie, but how would we use this for ALL cookies that Liferay sets once a user logs in, like COMPANY_ID, ID, PASSWORD, REMEMBER_ME, LOGIN, SCREEN_NAME?

Thanks.
Sushil Saini
RE: Setting HttpOnly and secure cookie flags in Liferay?
November 21, 2012 9:26 PM
Answer

Sushil Saini

Rank: Regular Member

Posts: 104

Join Date: July 27, 2011

Recent Posts

Hi Alireza,

I am using the option (a) to make the jsession id httpOnly it works fine. Didn't tried option 2.

Cheers
Sushil Saini
Arun Pandian
RE: Setting HttpOnly and secure cookie flags in Liferay?
July 14, 2015 2:20 AM
Answer

Arun Pandian

Rank: New Member

Posts: 3

Join Date: June 17, 2015

Recent Posts

Where should i find the context.xml file..
Thiago Leão Moreira
RE: Setting HttpOnly and secure cookie flags in Liferay?
April 12, 2017 3:23 PM
Answer

Thiago Leão Moreira

LIFERAY STAFF

Rank: Liferay Legend

Posts: 1441

Join Date: October 10, 2007

Recent Posts

Made the trick for me https://geekflare.com/secure-cookie-flag-in-tomcat/
Thiago Leão Moreira
RE: Setting HttpOnly and secure cookie flags in Liferay?
April 12, 2017 3:38 PM
Answer

Thiago Leão Moreira

LIFERAY STAFF

Rank: Liferay Legend

Posts: 1441

Join Date: October 10, 2007

Recent Posts

This link also helped me out https://geekflare.com/httponly-secure-cookie-apache/
Olaf Kock
RE: Setting HttpOnly and secure cookie flags in Liferay?
April 13, 2017 7:52 AM
Answer

Olaf Kock

LIFERAY STAFF

Rank: Liferay Legend

Posts: 3848

Join Date: September 23, 2008

Recent Posts

Thiago Leão Moreira:


I do object to the use of the secure-flag: It has other side effects: i.e. tomcat will assume that this connection is secure, no matter if it isn't: This implies that the administrator is responsible for making sure that indeed https is used for transport - for example on a reverse proxy. Without this, the use of this option is dangerous.