Page History
This page has moved:
Introduction
Setting the Secure flag on the session cookie will ensure that the session will not be transmitted in plain text over HTTP connections. For information on this flag see https://www.owasp.org/index.php/SecureFlag.
This setting should always be enabled when using HTTPS. Tomcat 6+ sets the Secure flag by default whenever HTTPS is used, but the flag can be explicitly set by the application regardless of the server implementation. This guide details the procedure of enabling this feature.
Info |
---|
This guide applies to the Java runtime and the Publisher. |
Info | ||
---|---|---|
| ||
Note that enabling this feature on a HTTP connection will cause the session cookie not to be sent to the client, effectively making the application unusable. |
Step-by-step guide
In order to enable the Secure flag, modify the WEB-INF/web.xml file from the application war. Look for the following section:
Code Block | ||
---|---|---|
| ||
<session-config>
<cookie-config>
<http-only>true</http-only>
<!-- Enable this when https -->
<!-- <secure>true</secure> -->
</cookie-config>
</session-config> |
Uncomment the <secure> element, like this:
...
<session-config>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
</session-config>
Restart the application server.
UI Expand | ||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||
|
...
|
...