JSESSION cookie should be "secure"
It is a good practice to do so.
It should be done with:
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure.dtd"> <Configure class="org.eclipse.jetty.webapp.WebAppContext"> <Get name="sessionHandler"> <Get name="sessionManager"> <Set name="secureCookies" type="boolean">true</Set> </Get> </Get> </Configure>
But it does not seems to work, certainly because our link between jetty and apache is HTTP (not S). Or because there is a problem if we speciy several "Set" (there is one other for #11158)
#4 Updated by François ARMAND 10 months ago
Perhaps for both this one, httpOnly, and removing jetty header, the config could be done in apache with mod_header https://serverfault.com/questions/645964/httponly-and-secure-cookies-with-apache-mod-header-for-all-cookies
That would allows to put all that config on the same place, even if we have cookies from other app one day (like technique editor or whatever), and not be dependent of jetty (nor its version).
#11 Updated by Vincent MEMBRÉ 9 months ago
- Status changed from Pending release to Released