发表新帖
发表新帖

set 'secure' flag to JSESSION id cookie

前端 未结
关注
3 1729
悲&欢浪女
悲&欢浪女 2021-01-22 06:51

I want to set \'secure\' flag to JSESSIONID cookie . Is there a configuration in tomcat 6 for this ?

I tried by setting \'secure=\"true\"\' in \'Connector\' (8080) e

相关标签:
3条回答
  • 醉酒成梦
    2021-01-22 07:42

    use the attribute useHttpOnly="true". In Tomcat9 the default value is true.

    0 讨论(0)
  • 野趣味
    2021-01-22 07:46

    If you are using tomcat 6 you can do the following workaround 

    String sessionid = request.getSession().getId();
response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; secure ; HttpOnly");

    see https://www.owasp.org/index.php/HttpOnly for more information

    0 讨论(0)
  • 深忆病人
    2021-01-22 07:47

    For nginx proxy it could be solved easy in nginx config:

    if ($scheme = http) {
    return 301 https://$http_host$request_uri;
}

proxy_cookie_path / "/; secure";
    0 讨论(0)
 看不清?
提交回复
热议问题