Project

General

Profile

Actions
Copy link

Bug #11159

closed

JSESSION cookie should be "secure"

Added by François ARMAND over 7 years ago. Updated over 5 years ago.

Status:
Released
Priority:
N/A
Assignee:
Benoît PECCATTE
Category:
Security
Target version:
3.1.22
Pull Request:
https://github.com/Normation/rudder/p...
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
Fix check:
Regression:

Description

It is a good practice to do so.

It should be done with:

<?xml version="1.0"  encoding="ISO-8859-1"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure.dtd">

<Configure class="org.eclipse.jetty.webapp.WebAppContext">
    <Get name="sessionHandler">
        <Get name="sessionManager">
            <Set name="secureCookies" type="boolean">true</Set>
        </Get>
    </Get>
</Configure>

But it does not seems to work, certainly because our link between jetty and apache is HTTP (not S). Or because there is a problem if we speciy several "Set" (there is one other for #11158)
See: https://stackoverflow.com/questions/3038223/how-to-get-jetty-to-send-jsessionid-cookies-with-the-secure-flag-when-using-a-se

Subtasks 2 (0 open2 closed)

Bug #11163: Enable mod header for apacheRejectedBenoît PECCATTEActions
Bug #11167: Add apache hearder rewrite rules to secure/httponly cookiesReleasedBenoît PECCATTEActions

Related issues 2 (0 open2 closed)

Related to Rudder - Bug #11158: JSESSION cookie should be "httpOnly"RejectedActions
Related to Rudder - Bug #11160: We should not send Jetty version in header responseRejectedActions
Actions
Copy link

Also available in: Atom PDF