2

I want to set 'secure' flag to JSESSIONID cookie . Is there a configuration in tomcat 6 for this ?

I tried by setting 'secure="true"' in 'Connector' (8080) element of server.xml , but it creates problems ....thats Connection is getting reset .

Note that in my application , the JSESSIONID is getting created in 'http' mode ( index page ) , when the user logins , it will switch into 'https' mode.

Mariselvam
  • 1,093
  • 2
  • 15
  • 28
  • this is the correct behaviour of Tomcat. Your session will begin at HTTP time with the JSESSIONID, this will change to a different one at HTTPS. So what exactly you want to do? – JoseK Sep 27 '11 at 12:26
  • Did you figure it out eventually ? – Assaf Karmon Aug 01 '12 at 21:05

3 Answers3

3

If you are using tomcat 6 you can do the following workaround 

String sessionid = request.getSession().getId();
response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; secure ; HttpOnly");

see https://www.owasp.org/index.php/HttpOnly for more information

Koray Güclü
  • 2,857
  • 1
  • 34
  • 30
  • I know this is an old answer but where exactly would this code snippet go? – ninjasense Jul 11 '13 at 17:31
  • You have two options depending on the version of your servlet api. 1.) Old servlet <3 does not set this flag per automatically. you need to implement this in a filter 2.) new servlet api has a configuration option for that. you donot need to write anything you can set the configuration accordingly. – Koray Güclü Jul 18 '13 at 10:34
  • This solution would remove other cookies on the response object. `addHeader` method would generate two cookies with the same name and a cookie added through your solution is ignored. – curious1 Jul 25 '22 at 02:56
0

use the attribute useHttpOnly="true". In Tomcat9 the default value is true.

diystyle
  • 1
0

For nginx proxy it could be solved easy in nginx config:

if ($scheme = http) {
    return 301 https://$http_host$request_uri;
}

proxy_cookie_path / "/; secure";
Grigory Kislin
  • 16,647
  • 10
  • 125
  • 197