Securing the cookie

In this section we will explain how to secure the cookie for the Blueriq Publisher.

The secure flag (true | false) is specified in the deployment descriptor (publisher/WEB-INF/web.xml):

<web-app ...>
	<session-config>
		<secure>true</secure>
	</session-config>
</web-app>

The Blueriq cookie is not secured by default. Securing the cookie should take place on the same location where the SSL offloading is done. The reason behind this, is because it is not possible to send a cookie with the secure flag set over an unencrypted HTTP request. For example, if the SSL offloading is done by the loadbalancer, here the secure flag should be enabled and disabled.

The only use case to enable the secure flag as specified above is when offloading takes place on the application server where the Publisher is deployed (Tomcat, JBoss, Websphere).

 

Timeout

In this section we will explain how to set the session timeout for the Blueriq Publisher.

The session-timeout value (in minutes) is specified in the deployment descriptor (publisher/WEB-INF/web.xml):

<web-app ...>
	<session-config>
		<session-timeout>20</session-timeout>
	</session-config>
</web-app>