留言板
setting httpOnly and secure cookie flags in Liferay 6.0
Peter Erskine De Dios,修改在8 年前。
setting httpOnly and secure cookie flags in Liferay 6.0
New Member 发布: 1 加入日期: 14-8-25 最近的帖子
How can you set httpOnly and secure flags for cookies set by Liferay, like COMPANY_ID, ID, PASSWORD, REMEMBER_ME, LOGIN, SCREEN_NAME?
Ionut Negoita,修改在7 年前。
RE: setting httpOnly and secure cookie flags in Liferay 6.0
New Member 帖子: 10 加入日期: 12-8-27 最近的帖子
Hi,
basically you need to create a new filter and add it to the stack of Liferay filters. In the filter you need to have a response wrapper.
Please keep in mind that the JSESSIONID cookie comes from Tomcat so it should be handled by adding the useHttpOnly="true" attribute to context settings.
Here's a detailed description on how to do this: Solving OWASP security vulnerabilities in Liferay 6.0.x
basically you need to create a new filter and add it to the stack of Liferay filters. In the filter you need to have a response wrapper.
Please keep in mind that the JSESSIONID cookie comes from Tomcat so it should be handled by adding the useHttpOnly="true" attribute to context settings.
Here's a detailed description on how to do this: Solving OWASP security vulnerabilities in Liferay 6.0.x