1

I have an issue when I login to my machine via HTTPS and then try to login via HTTP.

However, when I clear site data, I can successfully login via HTTP. The problem occur when I login via HTTPS --> logout --> login via HTTP - I can't login again unless I clear site data

This behaviour is observed after upgrading from jetty 4.2.24 to jetty 9.2.25.

Is this the security added by jetty? If so, how to revert this behaviour?

I have seen some cookie options from https://github.com/expressjs/cookie-session#cookie-options, but setting this also didn't help me.

Suman
  • 21
  • 2
  • 6

1 Answers1

0

Jetty 4.2.24 is so old, there's been over 500 releases of Jetty (yes, I counted), and the HTTP spec itself has been updated 4 times, and the Cookie spec has been updated 3 times. It's no wonder you are experiencing new and wonderful behaviors.

I bet the cookie is being sent with the secure flag set.

How does cookie "Secure" flag work?

This behavior is common for secure only Cookies.

This configuration, in Jetty, can be controlled by the WebApp's WEB-INF/web.xml

Look for something like this ...

<session-config>
    <session-timeout>60</session-timeout>
    <cookie-config>
        <http-only>true</http-only>
        <secure>true</secure>
    </cookie-config>
    <tracking-mode>COOKIE</tracking-mode>
</session-config>

Note: http-only set to true means that cookie is only used for the HTTP protocol (including the schemes http:, https:, ws:, and wss:), and the Cookie will not be available to the JavaScript running on the browser.

Joakim Erdfelt
  • 46,896
  • 7
  • 86
  • 136
  • I could observe that when I login through https, irrespective of the user defined secure attribute value, the cookie is showing secure as true. – Suman Nov 27 '18 at 12:27
  • The secure attribute is becoming true by default, Is this the default behaviour added to servlet specs after servlet 2.4? I couldn't see any such update from the servlet 3.1 doc. https://tomcat.apache.org/tomcat-8.0-doc/servletapi/javax/servlet/http/Cookie.html#setSecure(boolean) – Suman Nov 27 '18 at 12:46
  • Tomcat is not the official source of the servlet spec (either the javadoc or the spec document). Use the official documents at https://docs.oracle.com/javaee/7/api/index.html?javax/servlet/package-summary.html or https://javaee.github.io/servlet-spec/DOWNLOADS.html – Joakim Erdfelt Nov 27 '18 at 15:02
  • The servlet spec makes no declaration of default values for Session configuration, that's up to the application to declare. Each container is free to use whatever default values (if undeclared) to fit their own requirements. (some containers don't even default to using Cookies) – Joakim Erdfelt Nov 27 '18 at 15:04
  • when I set secure as false from my application and access the https , the attribute is becoming true. I dont understand how its being modified? – Suman Nov 29 '18 at 06:53
  • true is also working but when I set false and access https, then secure is changing to true.I dont understand from where this value is being set? – Suman Nov 29 '18 at 09:55