set session cookie secure and httpOnly for LFR_SESSION_STATE_%

Question

Environment :

Liferay 6.2 with Jboss

We are trying to implement httponly and secure.

For this we have dome some changes like below

Added in Portal-ext.properties :
cookie.http.only.names.excludes=

and

Added following properties in ROOT.war/WEB-INF/web.xml

     <session-config>
      <cookie-config>
       <http-only>true</http-only>
       <secure>true</secure>
      </cookie-config>
     </session-config>

I can see all the session cookies are httponly except the one which are starting with LFR_SESSION_STATE_

Can anyone suggest how we can handle this.

score 2 · Answer 1 · answered Jan 20 '16 at 05:24

LFR_SESSION_STATE_ are cookies that explicitly get handled on client-side and not on server side - thus they're inherently only accessed through JS. As far as I know they're never even persisted on server side. And I don't expect any real leakage from these cookies. In my perception the cookies are about determining state of the quality "should this help item be shown with full text or just collapsed".

set session cookie secure and httpOnly for LFR_SESSION_STATE_%

1 Answers1