Making JSESSIONID cookie be httpOnly in Jetty 7

本秂侑毒 提交于 2020-01-02 10:26:06

问题


We're running grails 2.0 + jetty 7.6.6 and need to set JSESSIONID cookie to be httpOnly. All of the answers on stackoverflow seem to refer to either Servlet 3.0 (which requires jetty 8) or to tomcat. Can anyone provide me with a clear way of setting the JSESSIONID cookie be httpOnly for jetty 7.x?

I have tried adding jetty-web.xml file with the following contents, but it still didn't work (i.e. the JSESSIONID wasn't marked as httpOnly):

<?xml version="1.0"  encoding="ISO-8859-1"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure.dtd">

<Configure class="org.eclipse.jetty.webapp.WebAppContext">
    <Get name="sessionHandler">
        <Get name="sessionManager">
            <Set name="httpOnly" type="boolean">true</Set>
        </Get>
    </Get>
</Configure>

回答1:


All I had to do is to put the jetty-web.xml in the right folder. Initially I was putting into jetty/etc folder, but instead it should have been in the WEB-INF directory.



来源:https://stackoverflow.com/questions/12968217/making-jsessionid-cookie-be-httponly-in-jetty-7

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!