CODEWITHSUNDEEP
securitytomcatcookiesencryptionjetty
Kai Moritz
Kai Moritz

Reputation: 621

How to get jetty to send jsessionid-cookies with the secure-flag when using a secure channel

I am using Tomcat in my production environment and jetty in my testing environment (via jetty-maven-plugin).

Tomcat sets the secure-flag on a jsessionid-cookie, when it is sendig it over a secure channel (https), which looks like a good idea to me, becaus it prevents the session from being exposed, when the user klicks on a http://-link. But Jetty does not so!

I would like to force Jetty to behave like Tomcat and always set the secure-flag on jsessionid-cookies send over a secure channel, because otherwise, my testing environment behaves considerably diffrent then my production environment. But I cannot find any configuration option to achive this.

I am also wondering, if this is a security-bug in Jetty. Because not marking a jsessionid-cookie send over a secure channel as secure reveals the secure session if the user switches back to an unsecure channel.

Upvotes: 6

Views: 9996

Answers (2)

gawi
gawi

Reputation: 14227

The configuration changes needed to set the secureCookies property can be added to the jetty-web.xml file:

<Get name="sessionHandler">
  <Get name="sessionManager">
    <Set name="secureCookies">true</Set>
  </Get>
</Get>

Upvotes: 1

Channing Walton
Channing Walton

Reputation: 4007

I am adding the following just to show the complete example that worked for me.

Put the following in WEB-INF/jetty-web.xml

<?xml version="1.0"  encoding="ISO-8859-1"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure.dtd">

<Configure class="org.eclipse.jetty.webapp.WebAppContext">
    <Get name="sessionHandler">
        <Get name="sessionManager">
            <Set name="secureCookies" type="boolean">true</Set>
        </Get>
    </Get>
</Configure>

Upvotes: 4

Related Questions