Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Blueriq session & cookie

Blueriq Runtime and Publisher are using the HTTP session to store data before it is persisted. As stated by OWASP, the session timeout should be set as low as possible (https://owasp.org/www-community/Session_Timeout). Depending on your infrastructure it is possible to set the Secure flag of the session cookie (https://owasp.org/www-community/controls/SecureCookieAttribute). Both the session timeout and the secure flag can be configured by following the steps in the articles below:

By default the secure flag of the session cookie is enabled since release 16.0 and onwards. In earlier versions, the property was disabled by default.

Disabling the secure session cookie from Blueriq version 14.7 onwards can be done by configuring the following property:

Code Block
languagetext
titleapplication.properties
blueriq.session.cookie.secure=false

In older versions it was possible to enable the secure session cookie setting with an environment variable with the value:

Code Block
languagetext
BLUERIQ_SECURE_SESSION_COOKIE=true


Note

When the secure flag is set on the session cookie, the cookie will only be sent to the server over a secured connection (HTTPS).

If your runtime runs in HTTP mode, despite the cookie having the secure flag, you will get errors about Blueriq Sessions not being found or being expired.


Additionally, the SameSite attribute can be set on the session cookie: Security: SameSiteThis option is removed in Blueriq 15.