Foren

  1. Startseite
  2. Development
  3. Setting HttpOnly and secure cookie flags in Liferay?

Setting HttpOnly and secure cookie flags in Liferay?

thumbnail
Alireza Zare, geändert vor 11 Jahren.

Setting HttpOnly and secure cookie flags in Liferay?

Regular Member Beiträge: 110 Beitrittsdatum: 03.09.10 Neueste Beiträge
Does anyone know how to set HttpOnly and secure cookie flas in Liferay?
thumbnail
Alireza Zare, geändert vor 11 Jahren.

RE: Setting HttpOnly and secure cookie flags in Liferay?

Regular Member Beiträge: 110 Beitrittsdatum: 03.09.10 Neueste Beiträge
Can anyone confirm that one of the following methods will work for Liferay:

a. The httpOnly functionality can be enabled for all webapps in conf/context.xml:

<Context useHttpOnly="true">
...
</Context>

b. Writing a servlet filter to overwrite the session cookie:

private void rewriteCookieToHeader(HttpServletRequest request, HttpServletResponse response) {
if (response.containsHeader("SET-COOKIE")) {
String sessionid = request.getSession().getId();
String contextPath = request.getContextPath();
String secure = "";
if (request.isSecure()) {
secure = "; Secure";
}
response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid
+ "; Path=" + contextPath + "; HttpOnly" + secure);
}
}
thumbnail
Jason Roscoe, geändert vor 11 Jahren.

RE: Setting HttpOnly and secure cookie flags in Liferay?

Junior Member Beiträge: 84 Beitrittsdatum: 23.10.08 Neueste Beiträge
I believe that will work for the JSESSIONID cookie, but how would we use this for ALL cookies that Liferay sets once a user logs in, like COMPANY_ID, ID, PASSWORD, REMEMBER_ME, LOGIN, SCREEN_NAME?

Thanks.
thumbnail
Sushil Kumar Saini, geändert vor 11 Jahren.

RE: Setting HttpOnly and secure cookie flags in Liferay?

Regular Member Beiträge: 104 Beitrittsdatum: 27.07.11 Neueste Beiträge
Hi Alireza,

I am using the option (a) to make the jsession id httpOnly it works fine. Didn't tried option 2.

Cheers
Sushil Saini
Arun Pandian, geändert vor 8 Jahren.

RE: Setting HttpOnly and secure cookie flags in Liferay?

New Member Beiträge: 3 Beitrittsdatum: 17.06.15 Neueste Beiträge
Where should i find the context.xml file..
thumbnail
Thiago Leão Moreira, geändert vor 7 Jahren.

RE: Setting HttpOnly and secure cookie flags in Liferay?

Liferay Legend Beiträge: 1449 Beitrittsdatum: 10.10.07 Neueste Beiträge
Made the trick for me https://geekflare.com/secure-cookie-flag-in-tomcat/
thumbnail
Thiago Leão Moreira, geändert vor 7 Jahren.

RE: Setting HttpOnly and secure cookie flags in Liferay?

Liferay Legend Beiträge: 1449 Beitrittsdatum: 10.10.07 Neueste Beiträge
This link also helped me out https://geekflare.com/httponly-secure-cookie-apache/
thumbnail
Olaf Kock, geändert vor 7 Jahren.

RE: Setting HttpOnly and secure cookie flags in Liferay?

Liferay Legend Beiträge: 6403 Beitrittsdatum: 23.09.08 Neueste Beiträge
Thiago Leão Moreira:
Made the trick for me https://geekflare.com/secure-cookie-flag-in-tomcat/


I do object to the use of the secure-flag: It has other side effects: i.e. tomcat will assume that this connection is secure, no matter if it isn't: This implies that the administrator is responsible for making sure that indeed https is used for transport - for example on a reverse proxy. Without this, the use of this option is dangerous.