Forums

Home » Liferay Portal » English » 3. Development

Combination View Flat View Tree View
Threads [ Previous | Next ]
toggle
Maulin Rathod
Liferay cookies
March 26, 2009 12:48 AM
Answer

Maulin Rathod

Rank: Junior Member

Posts: 61

Join Date: November 6, 2008

Recent Posts

Hi,

We want to make cookie secure and httponly to protect cookie. How can we do it?
Samuel Kong
RE: Liferay cookies
March 26, 2009 10:22 AM
Answer

Samuel Kong

LIFERAY STAFF

Rank: Liferay Legend

Posts: 1421

Join Date: March 10, 2008

Recent Posts

If a user sign in using a https connection, the cookies will automatically be marked secured. To force users to use an https connection, look into one of these properties:

web.server.protocol
main.servlet.https.required
Marcin Radecki
RE: Liferay cookies
October 25, 2010 4:41 AM
Answer

Marcin Radecki

Rank: New Member

Posts: 1

Join Date: October 25, 2010

Recent Posts

Hi,

This seems to be an answer to the former part of the question (secure cookie). How about setting a httponly flag on Liferay cookies?

Cheers,
Marcin
Jonathan Ross
RE: Liferay cookies
December 1, 2010 10:00 AM
Answer

Jonathan Ross

Rank: New Member

Posts: 1

Join Date: June 21, 2010

Recent Posts

I am also interested in setting all cookies to httpOnly. Has anyone found a solution to this?
Jon Cruz
RE: Liferay cookies
February 16, 2011 5:56 PM
Answer

Jon Cruz

Rank: New Member

Posts: 21

Join Date: November 10, 2010

Recent Posts

I'm also interested to see if anyone has come up with a solution.

I've been searching Google for ways of setting it in JBoss/Tomcat or Apache HTTP server as well as "Liferay".

I've found:

http://www.owasp.org/index.php/HttpOnly#Using_Java_to_Set_HttpOnly


It'd be nice if a Liferay dev or support would say "yeah it's possible" or "no it's not possible yet".

Thanks.
Daniel Dan
RE: Liferay cookies
November 7, 2011 8:18 AM
Answer

Daniel Dan

Rank: New Member

Posts: 3

Join Date: April 19, 2011

Recent Posts

Samuel Kong:
If a user sign in using a https connection, the cookies will automatically be marked secured. To force users to use an https connection, look into one of these properties:

web.server.protocol
main.servlet.https.required



If im currently using https connection, will make some difference to change cookie propertie to HttpOnly?

Thanks in advance
Daniel Dan
RE: Liferay cookies
January 23, 2012 7:16 AM
Answer

Daniel Dan

Rank: New Member

Posts: 3

Join Date: April 19, 2011

Recent Posts

Daniel Dan:
Samuel Kong:
If a user sign in using a https connection, the cookies will automatically be marked secured. To force users to use an https connection, look into one of these properties:

web.server.protocol
main.servlet.https.required



If im currently using https connection, will make some difference to change cookie propertie to HttpOnly?

Thanks in advance


Someone can aswer that?
Alireza Zare
RE: Liferay cookies
October 4, 2012 12:17 AM
Answer

Alireza Zare

Rank: Regular Member

Posts: 110

Join Date: September 3, 2010

Recent Posts

Does anyone know how to set HttpOnly and secure cookie flags in Liferay?
Sushil Saini
RE: Liferay cookies
October 10, 2012 7:39 PM
Answer

Sushil Saini

Rank: Regular Member

Posts: 104

Join Date: July 27, 2011

Recent Posts

Hi Friends,

JSessionId is generated by Application server like tomcat and Jboss etc. That's why to make the JsessionId httpOnly, configuration would be required at app server. In my case I am using tomcat server.

And for tomcat server, following configurations are required in {TOMCAT_HOME}\conf\context.xml file.
<Context useHttpOnly="true" >

Thanks
Sushil Kumar
Ashish Renapurkar
RE: Liferay cookies
May 17, 2013 1:11 AM
Answer

Ashish Renapurkar

Rank: New Member

Posts: 23

Join Date: January 18, 2012

Recent Posts

It will work on firefox but not on ie or chrom.
Ashish Renapurkar
RE: Liferay cookies
July 11, 2013 11:45 PM
Answer

Ashish Renapurkar

Rank: New Member

Posts: 23

Join Date: January 18, 2012

Recent Posts

Ashish Renapurkar:
It will work on firefox but not on ie or chrom.


I tried another way to httponly issue, I'll add the HttpOnly cookies.jar and add a filter in web.xml. now I'm not able to login to application, it is showing the "Authentication failed. Please enable browser cookies and try again. "

Any help will be appropriated.

Regards...
Ashish Renapurkar
Harsha Mhaske
RE: Liferay cookies
September 10, 2013 4:39 AM
Answer

Harsha Mhaske

Rank: New Member

Posts: 15

Join Date: September 26, 2008

Recent Posts

Hi Samuel,

We already have web.server.protocol set to true and the site is on https, but still the vulnerability report says that cookies are not set to secure.

Could you please help.

Regards,
Harsha