Securing the cookie
By default the secure flag of the session cookie is enabled since release 15.13 and onwards. In earlier versions, the property was disabled by default.
Disabling the secure session cookie from Blueriq version 14.7 onwards can be done by configuring the following property:
blueriq.session.cookie.secure=false
In older versions it was possible to enable the secure session cookie setting with an environment variable with the value:
BLUERIQ_SECURE_SESSION_COOKIE=true
This option is removed in Blueriq 15.
Securing the cookie should take place on the same location where the SSL offloading is done. The reason behind this is that it is not possible to send a cookie with the secure flag set over an unencrypted HTTP request. For example, if the SSL offloading is done by the loadbalancer, the secure flag should be disabled from there on as requests to the runtime are over an unencrypted HTTP request.
The only use case to enable the secure flag as specified above is when offloading takes place on the application server where the Runtime is deployed.
Timeout
In this section we will explain how to set the session timeout depending on the Blueriq Runtime you are using. (Java or .NET version)
Java Runtime
In the Java Runtime the way of defining the session timeout differs between R10 and R9 or older versions.
For R9 or older versions, the value in minutes of the timeout is specified in the deployment descriptor (web.xml):
<web-app ...> <session-config> <session-timeout>20</session-timeout> </session-config> </web-app>
For R10 we benefit of various Spring Boot common properties that can be specified inside application.properties or it can be given as a VM argument.
server.session.timeout=1200 # Session timeout in seconds.
In R11 Spring renamed this property to:
server.servlet.session.timeout=1200 # Session timeout in seconds.