On 04/01/2021 06:02, Amit Khosla wrote:
> Hi,
>
> We are still facing this issue. Can someone please help us?
In a clean 8.5.x install, session cookies are only marked as secure if
the request that triggered the session creation is made over a secure
channel (typically HTTPS).
If you amend the session configuration in $CATALINA_BASE/conf/web.xml from:
<session-config>
<session-timeout>30</session-timeout>
</session-config>
to
<session-config>
<session-timeout>30</session-timeout>
<cookie-config>
<secure>true</secure>
</cookie-config>
</session-config>
then session cookies will be generated with the secure flag whether or
not the request that triggered the the session creation was made over a
secure channel.
Reviewing the thread:
Are you sure you are amending the correct web.xml file? One way to check
this is to make a deliberate error in the file and confirm that this
error is reported when Tomcat starts.
Note that you can only use <session-config> once in a web.xml file. If
the web.xml file already contains a <session-config> element you must
add to that existing element.
Configuration in the application's web.xml file will override the global
web.xml file. Make sure that the application's web.xml either does not
specify a value for secure or specifies true.
If you still have issues:
- start with a clean Tomcat 8.5.x install
- confirm that
http://localhost:8080/examples/servlets/servlet/SessionExample
generates a set-cookie header without the secure attribute
- stop Tomcat
- close the browser
- amend conf/web.xml as above
- start Tomcat
- confirm that
http://localhost:8080/examples/servlets/servlet/SessionExample
generates a set-cookie header with the secure attribute
- retest with your application
You must close the browser between each request you expect to generate a
session cookie to prevent any existing session from being used.
If this test fails then you'll need to check the application source
code. It is possible that the application is overriding your attempts to
make the session cookie secure.
Mark
>
> Thanks & Regards
> Amit
>
> On Fri, Jan 1, 2021 at 8:22 PM Amit Khosla <amitkhosla.j...@gmail.com>
> wrote:
>
>> Thanks for reply!
>>
>> We did changes in <CATALINA_HOME>/conf/web.xml.
>> But when the changes did not reflect, we made changes in specific app as
>> well. But we could not see the cookie as secure.
>>
>> We verified by the response headers seen in chrome developer tool. The
>> cookie JSESSIONID does not have a secure flag.
>>
>> By the way, Happy New Year!
>>
>> On Thu, Dec 31, 2020 at 5:01 PM Darryl Lewis <darryl.le...@unsw.edu.au>
>> wrote:
>>
>>>
>>> Did you make the changes to <CATALINA_HOME>/conf/web.xml ? It seems you
>>> may have made them just to that specific our_app application
>>>
>>> Are you sure you are testing it correctly?
>>> Can you try https://gf.dev/http-headers-test
>>>
>>>
>>> On 31/12/20, 8:29 pm, "Amit Khosla" <amitkhosla.j...@gmail.com> wrote:
>>>
>>> Thanks for reply,
>>> we did restarted server while trying. The issue is still there even
>>> after
>>> restart.
>>>
>>> On Thu, Dec 31, 2020 at 11:14 AM Darryl Lewis <
>>> darryl.le...@unsw.edu.au>
>>> wrote:
>>>
>>> > <session-config>
>>> > <cookie-config>
>>> > <http-only>true</http-only>
>>> > <secure>true</secure>
>>> > </cookie-config>
>>> > </session-config>
>>> >
>>> > Restart the server.
>>> >
>>> > On 31/12/20, 3:50 pm, "Amit Khosla" <amitkhosla.j...@gmail.com>
>>> wrote:
>>> >
>>> > Hi Team,
>>> >
>>> >
>>> >
>>> > As we are looking forward for JSESSIONID to be secure.
>>> >
>>> >
>>> >
>>> > We made changes in web.xml in tomcat/conf
>>> >
>>> > <session-config>
>>> >
>>> > <cookie-config>
>>> >
>>> > <http-only>true</http-only>
>>> >
>>> > <secure>true</secure>
>>> >
>>> > </cookie-config>
>>> >
>>> > </session-config>
>>> >
>>> >
>>> >
>>> > But even after the changes, we are not able to get the
>>> JSESSIONID
>>> > cookie as
>>> > secure.
>>> >
>>> > We also tried changes in web.xml of our application, i.e,
>>> > tomcat/webapps/our_app/WEB-INF/web.xml; but still we are not
>>> getting it
>>> > secure.
>>> >
>>> >
>>> >
>>> > Tomcat version we are using is 8.5.53.
>>> >
>>> > We are getting same issue on windows as well as linux machine.
>>> >
>>> >
>>> >
>>> > Can you please guide us what can be done as this is required as
>>> per
>>> > security compliance?
>>> >
>>> >
>>> >
>>> > Thanks & Regards
>>> >
>>> > Amit
>>> >
>>> >
>>>
>>> --
>>> Thanks & Regards
>>> Amit Khosla
>>>
>>>
>>
>> --
>> Thanks & Regards
>> Amit Khosla
>>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
