This guide applies to the Java runtime, .NET runtime and the Publisher.
Introduction
Setting the Secure flag on the session cookie will ensure that the session will not be transmitted in plain text over HTTP connections. For information on this flag see https://www.owasp.org/index.php/SecureFlag.
This setting should always be enabled when using HTTPS. Tomcat 6+ sets the Secure flag by default whenever HTTPS is used, but the flag can be explicitly set by the application regardless of the server implementation. This guide details the procedure of enabling this feature.
Warning
Enabling this feature on a HTTP connection will cause the session cookie not to be sent to the client, effectively making the application unusable.
Step-by-step guide
In order to enable the Secure flag, modify the WEB-INF/web.xml file from the application war. Look for the following section:
<session-config> <cookie-config> <http-only>true</http-only> <!-- Enable this when https --> <!-- <secure>true</secure> --> </cookie-config> </session-config>
Uncomment the <secure> element, like this:
<session-config> <cookie-config> <http-only>true</http-only> <secure>true</secure> </cookie-config> </session-config>
Restart the application server.
.NET Runtime
In the
Unable to render {include} The included page could not be found.
file , look for the system.web section and add the following property : <system.web> ... <httpCookies requireSSL="true"/> ... </system.web>
Unable to render {include} The included page could not be found.
Overview
Content Tools