I'm using Web sessions in a SeedStack application but needs the session cookie to be secured by the httpOnly flag.
Since there is no configuration option for that, how can I achieve this with the current version ?
Asked
Active
Viewed 113 times
1
-
1Thanks for your question. It has been closed but I requested it to be re-opened. – Adrien LAUER Mar 05 '20 at 15:57
-
It's been reopened apparently, if you have any hint on how to do this @AdrienLAUER – ymeleouet Mar 10 '20 at 13:43
1 Answers
1
It is not possible for now to configure the session cookie used by Undertow but I added the relevant options to make it possible in the upcoming version (20.4 at the end of April).
For now, as a workaround, you can implement a ServletContainerInitializer to configure the session cookie manually:
public class MyServletContainerInitializer implements ServletContainerInitializer {
@Override
public void onStartup(Set<Class<?>> classes, ServletContext servletContext) {
servletContext.getSessionCookieConfig().setHttpOnly(true);
}
Your class must be registered in a META-INF/services/javax.servlet.ServletContainerInitializer file:
org.myorg.myproject.MyServletContainerInitializer
Note that you can statically obtain a configuration facade with Seed.baseConfiguration(). This makes it possible to alter cookie options using applicative configuration.
Adrien LAUER
- 444
- 2
- 7