Reputation: 969
set session cookie secure and httpOnly for LFR_SESSION_STATE_%
Environment :
- Liferay 6.2 with Jboss
We are trying to implement httponly and secure.
For this we have dome some changes like below
Added in Portal-ext.properties :
cookie.http.only.names.excludes=
and
Added following properties in ROOT.war/WEB-INF/web.xml
<session-config>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
</session-config>
I can see all the session cookies are httponly except the one which are starting with LFR_SESSION_STATE_
Can anyone suggest how we can handle this.
Upvotes: 3
Views: 3941
Answers (1)
Reputation: 21
LFR_SESSION_STATE_ are cookies that explicitly get handled on client-side and not on server side - thus they're inherently only accessed through JS. As far as I know they're never even persisted on server side. And I don't expect any real leakage from these cookies. In my perception the cookies are about determining state of the quality "should this help item be shown with full text or just collapsed".
Upvotes: 2
Related Questions
- Liferay lfr_session_state cookie
- Jboss 5. HttpOnly session cookies
- How to configure JBoss 4.0.* to make session cookie HttpOnly and secure?
- httpOnly cookie
- Add the 'HttpOnly' attribute to all session cookies
- how to enable httponly for jsessionid cookie in jboss 4.2.3
- Getting Liferay CookieNotSupportedException
- Add non-http only cookie in Liferay
- How do I use autologin cookie in liferay?
- How to set a Cookie in Liferay portlet?