Page History
Securing the cookie
In this section we will explain how to secure the cookie depending on the Blueriq Runtime you are using. (Java or .NET version)
Java Runtime
In the Java Runtime the way of securing the cookie differs between R10 and R9 or older versions.
For R9 or older versions, the value (true | false) is specified in the deployment descriptor (web.xml):
Code Block | ||||
---|---|---|---|---|
| ||||
<web-app ...>
<session-config>
<secure>true</secure>
</session-config>
</web-app> |
For R10-R14 you can set the environment variable BLUERIQ_SECURE_SESSION_COOKIE to true.
Code Block | ||
---|---|---|
| ||
BLUERIQ_SECURE_SESSION_COOKIE=true |
For R14.7 and newer, you can set a property.
Code Block | ||||
---|---|---|---|---|
| ||||
blueriq.session.cookie.secure=true |
By default the secure flag of the session cookie is enabled since release 15.13 and onwards. In earlier versions, the property was disabled by default.
Disabling the secure session cookie from Blueriq version 14.7 onwards can be done by configuring the following property:For R16 and newer, this property is set to true by default. To Unsecure the cookie, you can set a property.
Code Block | ||||
---|---|---|---|---|
| ||||
blueriq.session.cookie.secure=false |
.NET Runtime
In the .NET Runtime there is no difference in in the way of securing the cookie between R10 and R9 or older versions.
The value is specified in Web.config under <system.web> tagIn older versions it was possible to enable the secure session cookie setting with an environment variable with the value:
Code Block | ||||
---|---|---|---|---|
| ||||
<system.web>
<httpCookies requireSSL="true" />
</system.web> | ||||
| ||||
BLUERIQ_SECURE_SESSION_COOKIE=true |
This option is removed in Blueriq 15.
Note |
---|
Note |
The Blueriq cookie is not secured by default. Securing the cookie should take place on the same location where the SSL offloading is done. The reason behind this , is because that it is not possible to send a cookie with the secure flag set over an unencrypted HTTP request. For example, if the SSL offloading is done by the loadbalancer, here the secure flag should be enabled and disableddisabled from there on as requests to the runtime are over an unencrypted HTTP request. The only use case to enable the secure flag as specified above is when offloading takes place on the application server where the Runtime is deployed (Tomcat, JBoss, Websphere). |
Timeout
In this section we will explain how to set the session timeout depending on the Blueriq Runtime you are using. (Java or .NET version)
Java Runtime
In the Java Runtime the way of defining the session timeout differs between R10 and R9 or older versions.
...
Code Block | ||||
---|---|---|---|---|
| ||||
server.servlet.session.timeout=1200 # Session timeout in seconds. |
Info |
---|
If you are upgrading from R9 to R10 pay attention to the session timeout measurement unit. If in R9 or older versions, the value is specified in minutes, in R10 the value is specified in seconds. |
.NET Runtime
In the .NET Runtime there is no difference in in the way of specifying the session timeout between R10 and R9 or older versions.
The value in minutes is specified in Web.config under <system.web> tag:
Code Block | ||||
---|---|---|---|---|
| ||||
<system.web>
<sessionState timeout="20" />
</system.web> |