Fórum
setting httpOnly and secure cookie flags in Liferay 6.0
Peter Erskine De Dios, modificado 7 Anos atrás.
setting httpOnly and secure cookie flags in Liferay 6.0
New Member Mensagem: 1 Data de Entrada: 25/08/14 Postagens Recentes
How can you set httpOnly and secure flags for cookies set by Liferay, like COMPANY_ID, ID, PASSWORD, REMEMBER_ME, LOGIN, SCREEN_NAME?
Ionut Negoita, modificado 7 Anos atrás.
RE: setting httpOnly and secure cookie flags in Liferay 6.0
New Member Postagens: 10 Data de Entrada: 27/08/12 Postagens Recentes
Hi,
basically you need to create a new filter and add it to the stack of Liferay filters. In the filter you need to have a response wrapper.
Please keep in mind that the JSESSIONID cookie comes from Tomcat so it should be handled by adding the useHttpOnly="true" attribute to context settings.
Here's a detailed description on how to do this: Solving OWASP security vulnerabilities in Liferay 6.0.x
basically you need to create a new filter and add it to the stack of Liferay filters. In the filter you need to have a response wrapper.
Please keep in mind that the JSESSIONID cookie comes from Tomcat so it should be handled by adding the useHttpOnly="true" attribute to context settings.
Here's a detailed description on how to do this: Solving OWASP security vulnerabilities in Liferay 6.0.x