Making session cookies(like COMPANY_ID, LFR_Session_state) secure&HTTPOnly

Forums de discussion

Srvna R, modifié il y a 10 années.

Making session cookies(like COMPANY_ID, LFR_Session_state) secure&HTTPOnly

New Member Publications: 10 Date d'inscription: 09/07/13 Publications récentes

Hi,
We are using Liferay 6.1.1 ce GA2 with MySQL for our portal. As a part of Application Vulnerability scanning, we found that session cookies like LFR_Session_State, COMPANY_ID,COOKIE SUPPORT, ID, s_cc(site catalyst cookie) should be made 'secure' and 'httponly'.

We made the following changes in web.xml and this made only JSessionID as secure and HTTPOnly, but not all the other cookies mentioned above.

<session-config>
<session-timeout>30</session-timeout>
<cookie-config>
<secure>true</secure>
</cookie-config>
<cookie-config>
<http-only>true</http-only>
</cookie-config>
</session-config>

Kindly let us know if there are any methods to make the other cookies(LFR_Session_State, COMPANY_ID,COOKIE SUPPORT, ID, s_cc(site catalyst cookie)) "secure" and "httponly".

Thanks in advance

Zsigmond Rab, modifié il y a 10 années.

RE: Making session cookies(like COMPANY_ID, LFR_Session_state) secure&HTTPO

Liferay Master Publications: 728 Date d'inscription: 05/01/10 Publications récentes

Hi Srvna,

see the following tickets: LPS-19107, LPS-39469.

Regards,
Zsigmond