Hi,
We are trying to address CSRF issue and one of that is to
mark the cookie secure.
We are using Jetty 6.1.15, and do the following in
JettyCustomizer:
public class ExtJettyCustomizer extends JettyCustomizer {
public Object
customizeContext(Object context, Dictionary settings) {
Context httpContext = (Context)context;
if(httpContext.getSessionHandler() != null){
final SessionHandler sessionHandler =
httpContext.getSessionHandler();
if(sessionHandler.getSessionManager() instanceof
AbstractSessionManager){
AbstractSessionManager
sessionManager = (AbstractSessionManager)sessionHandler.getSessionManager();
sessionManager.setHttpOnly(true);
sessionManager.setSecureCookies(true);
}
return
super.customizeContext(httpContext, settings);
}
}
Despite setting the setSecureCookies(true) on the
AbstractSessionManager, when observing the JSessionId cookie, its secure flag
is not set.
NOTE: We are using HTTPS Apache, proxy to HTTP Jetty, I
understand, that this is the reason the secure flag is not set. If I need to do
it in Apache, can anyone let me know the way to configure this setting in
Apache?
Is there any additional setting we need to do to ensure
this.
Thanks
Kuga