Fórum

  1. Início
  2. Development
  3. How to make JsessionId cookie is secure in Liferay

How to make JsessionId cookie is secure in Liferay

thumbnail
Naresh Reddy Kallamadi, modificado 7 Anos atrás.

How to make JsessionId cookie is secure in Liferay

Regular Member Postagens: 120 Data de Entrada: 09/07/14 Postagens Recentes
Hi All,

By default JessionId cookie is not secure but I want to make it as a secure so I tried below one in web.xml but no luck :

<session-config>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
</session-config>

Can any one help me out like is there properties needs override?


Thanks,
Naresh Kallamadi.
thumbnail
Olaf Kock, modificado 7 Anos atrás.

RE: How to make JsessionId cookie is secure in Liferay

Liferay Legend Postagens: 6403 Data de Entrada: 23/09/08 Postagens Recentes
Naresh Reddy Kallamadi:
By default JessionId cookie is not secure but I want to make it as a secure so I tried below one in web.xml but no luck :

As far as I remember, tomcat (state if you're using a different appserver) flags the cookie correctly by default if the session is created on https. It would be pointless to create a secure cookie on http. As I like to suggest, http and https mixed mode do not work well, my advice is to have a pure redirector on http and unconditionally redirect all requests to https.

The next problem, if you're behind a proxy, that tomcat needs to know that the relevant connection (browser -> proxy) is made through https. My way to configure this is to use mod_jk, because it forwards the relevant information. If you proxy through http, you'll need to configure tomcat further. But as you don't give us information about your setup, I'll not dive deep into the configuration options you have - they might be irrelevant and confusing.
thumbnail
Naresh Reddy Kallamadi, modificado 7 Anos atrás.

RE: How to make JsessionId cookie is secure in Liferay

Regular Member Postagens: 120 Data de Entrada: 09/07/14 Postagens Recentes
Thanks Olaf Kock for your quick reply.

I am using web logic with liferay 6210EE and tried below options:

1configuring in web.xml
<session-config>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
</session-config>

2. Configuration in weblogic.xml from url http://www.sudobash.net/middleware-secure-liferay-session-cookie-jsessionid-in-weblogic/
3.written below code in filter :

if (response.containsHeader("SET-COOKIE")) {
String sessionid = request.getSession().getId();
String contextPath = request.getContextPath();
String secure = "";
if (request.isSecure()) {
secure = "; Secure";
}
response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid
+ "; Path=" + contextPath + "; HttpOnly" + secure);
}
}

But response.containsHeader("SET-COOKIE") always giving false.
Above all are helpless.

Can you suggest me to make above code as workout?