Foros de discusión

  1. Inicio
  2. Development
  3. Setting HttpOnly and secure cookie flags in Liferay?

Setting HttpOnly and secure cookie flags in Liferay?

thumbnail
Alireza Zare, modificado hace 11 años.

Setting HttpOnly and secure cookie flags in Liferay?

Regular Member Mensajes: 110 Fecha de incorporación: 3/09/10 Mensajes recientes
Does anyone know how to set HttpOnly and secure cookie flas in Liferay?
thumbnail
Alireza Zare, modificado hace 11 años.

RE: Setting HttpOnly and secure cookie flags in Liferay?

Regular Member Mensajes: 110 Fecha de incorporación: 3/09/10 Mensajes recientes
Can anyone confirm that one of the following methods will work for Liferay:

a. The httpOnly functionality can be enabled for all webapps in conf/context.xml:

<Context useHttpOnly="true">
...
</Context>

b. Writing a servlet filter to overwrite the session cookie:

private void rewriteCookieToHeader(HttpServletRequest request, HttpServletResponse response) {
if (response.containsHeader("SET-COOKIE")) {
String sessionid = request.getSession().getId();
String contextPath = request.getContextPath();
String secure = "";
if (request.isSecure()) {
secure = "; Secure";
}
response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid
+ "; Path=" + contextPath + "; HttpOnly" + secure);
}
}
thumbnail
Jason Roscoe, modificado hace 11 años.

RE: Setting HttpOnly and secure cookie flags in Liferay?

Junior Member Mensajes: 84 Fecha de incorporación: 23/10/08 Mensajes recientes
I believe that will work for the JSESSIONID cookie, but how would we use this for ALL cookies that Liferay sets once a user logs in, like COMPANY_ID, ID, PASSWORD, REMEMBER_ME, LOGIN, SCREEN_NAME?

Thanks.
thumbnail
Sushil Kumar Saini, modificado hace 11 años.

RE: Setting HttpOnly and secure cookie flags in Liferay?

Regular Member Mensajes: 104 Fecha de incorporación: 27/07/11 Mensajes recientes
Hi Alireza,

I am using the option (a) to make the jsession id httpOnly it works fine. Didn't tried option 2.

Cheers
Sushil Saini
Arun Pandian, modificado hace 8 años.

RE: Setting HttpOnly and secure cookie flags in Liferay?

New Member Mensajes: 3 Fecha de incorporación: 17/06/15 Mensajes recientes
Where should i find the context.xml file..
thumbnail
Thiago Leão Moreira, modificado hace 7 años.

RE: Setting HttpOnly and secure cookie flags in Liferay?

Liferay Legend Mensajes: 1449 Fecha de incorporación: 10/10/07 Mensajes recientes
Made the trick for me https://geekflare.com/secure-cookie-flag-in-tomcat/
thumbnail
Thiago Leão Moreira, modificado hace 7 años.

RE: Setting HttpOnly and secure cookie flags in Liferay?

Liferay Legend Mensajes: 1449 Fecha de incorporación: 10/10/07 Mensajes recientes
This link also helped me out https://geekflare.com/httponly-secure-cookie-apache/
thumbnail
Olaf Kock, modificado hace 7 años.

RE: Setting HttpOnly and secure cookie flags in Liferay?

Liferay Legend Mensajes: 6403 Fecha de incorporación: 23/09/08 Mensajes recientes
Thiago Leão Moreira:
Made the trick for me https://geekflare.com/secure-cookie-flag-in-tomcat/


I do object to the use of the secure-flag: It has other side effects: i.e. tomcat will assume that this connection is secure, no matter if it isn't: This implies that the administrator is responsible for making sure that indeed https is used for transport - for example on a reverse proxy. Without this, the use of this option is dangerous.