掲示板

  1. ホーム
  2. Development
  3. How to make JsessionId cookie is secure in Liferay

How to make JsessionId cookie is secure in Liferay

thumbnail
7年前 に Naresh Reddy Kallamadi によって更新されました。

How to make JsessionId cookie is secure in Liferay

Regular Member 投稿: 120 参加年月日: 14/07/09 最新の投稿
Hi All,

By default JessionId cookie is not secure but I want to make it as a secure so I tried below one in web.xml but no luck :

<session-config>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
</session-config>

Can any one help me out like is there properties needs override?


Thanks,
Naresh Kallamadi.
thumbnail
7年前 に Olaf Kock によって更新されました。

RE: How to make JsessionId cookie is secure in Liferay

Liferay Legend 投稿: 6403 参加年月日: 08/09/23 最新の投稿
Naresh Reddy Kallamadi:
By default JessionId cookie is not secure but I want to make it as a secure so I tried below one in web.xml but no luck :

As far as I remember, tomcat (state if you're using a different appserver) flags the cookie correctly by default if the session is created on https. It would be pointless to create a secure cookie on http. As I like to suggest, http and https mixed mode do not work well, my advice is to have a pure redirector on http and unconditionally redirect all requests to https.

The next problem, if you're behind a proxy, that tomcat needs to know that the relevant connection (browser -> proxy) is made through https. My way to configure this is to use mod_jk, because it forwards the relevant information. If you proxy through http, you'll need to configure tomcat further. But as you don't give us information about your setup, I'll not dive deep into the configuration options you have - they might be irrelevant and confusing.
thumbnail
7年前 に Naresh Reddy Kallamadi によって更新されました。

RE: How to make JsessionId cookie is secure in Liferay

Regular Member 投稿: 120 参加年月日: 14/07/09 最新の投稿
Thanks Olaf Kock for your quick reply.

I am using web logic with liferay 6210EE and tried below options:

1configuring in web.xml
<session-config>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
</session-config>

2. Configuration in weblogic.xml from url http://www.sudobash.net/middleware-secure-liferay-session-cookie-jsessionid-in-weblogic/
3.written below code in filter :

if (response.containsHeader("SET-COOKIE")) {
String sessionid = request.getSession().getId();
String contextPath = request.getContextPath();
String secure = "";
if (request.isSecure()) {
secure = "; Secure";
}
response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid
+ "; Path=" + contextPath + "; HttpOnly" + secure);
}
}

But response.containsHeader("SET-COOKIE") always giving false.
Above all are helpless.

Can you suggest me to make above code as workout?