Versions Compared

Old Version 4

changes.mady.by.user Roel van de Steeg

Saved on

compared with

New Version 5

changes.mady.by.user Unknown User (s.wartenberg)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This page has moved:

Info

This guide applies to the Java runtime, .NET runtime and the Publisher.

Introduction

Setting the Secure flag on the session cookie will ensure that the session will not be transmitted in plain text over HTTP connections. For information on this flag see https://www.owasp.org/index.php/SecureFlag.

This setting should always be enabled when using HTTPS. Tomcat 6+ sets the Secure flag by default whenever HTTPS is used, but the flag can be explicitly set by the application regardless of the server implementation. This guide details the procedure of enabling this feature.

 

Info
titleWarning

Enabling this feature on a HTTP connection will cause the session cookie not to be sent to the client, effectively making the application unusable.

Step-by-step guide

In order to enable the Secure flag, modify the WEB-INF/web.xml file from the application war. Look for the following section:

Code Block
languagexml
	<session-config>
		<cookie-config>
			<http-only>true</http-only>
			<!-- Enable this when https -->
			<!-- <secure>true</secure> -->
		</cookie-config>
	</session-config>

Uncomment the <secure> element, like this:

...

	<session-config>
		<cookie-config>
			<http-only>true</http-only>
			<secure>true</secure>
		</cookie-config>
	</session-config>

Restart the application server.

.NET Runtime

...

Code Block
languagexml
<system.web>
	...
	<httpCookies requireSSL="true"/>
	...
</system.web>

 

UI Expand
titleRelated articles

Content by Label
showLabelsfalse
max5
spacesBKB
showSpacefalse
sortmodified
showSpacefalse
reversetrue
typepage
cqllabel = "kb-how-to-article" and type = "page" and space = "BKB"
labelskb-how-to-article

 

Include Page
_survey
_survey