Hi There I use Tomcat 9.0.68 and the org.apache.catalina.filters.RemoteIpFilter Filter behind a NGINX reverse proxy. On the NGINX I set the http header X-Forwarded-Proto to https. If I now make a request with a Browser to the reverse proxy the JSESSIONID cookie I get back is missing the secure attribute. I have debugged the RemoteIpFilter the isSecure flag of the wrapper request it creates is correctly set to true. Unfortunately, the method getSession() or getSession(Boolean) is forwarded to the wrapped original request were the isSecure Flag is still not set. Therefore, the JSESSIONID cookie is missing the secure flag. See org.apache.catalina.connector.Request method doGetSession and org.apache.catalina.core.ApplicationSessionCookieConfig method createSessionCookie.
This seems to be a bug. As workaround org.apache.catalina.valves.RemoteIpValve can be used, which seems to handle this correct. Also, the secure flag can be enforced by setting it in the web.xml. However, I would like to use RemoteIpFilter because it has some advantages over the RemoteIpValve or statically setting it in the web.xml. Should I file an issue for this? Regards Reto Weiss El. Ing. HTL Product Owner / Core Developer Axon Ivy AG +41 41 249 25 70<tel:+41412492570> reto.we...@axonivy.com<mailto:reto.we...@axonivy.com> www.axonivy.com<https://www.axonivy.com/> Baarerstrasse 12 ∙ CH-6300 Zug [Ein Bild, das Text enthalt. Automatisch generierte Beschreibung] LinkedIn<https://www.linkedin.com/company/axonivy> ∙ Facebook<https://www.facebook.com/axonivy> ∙ Xing<https://www.xing.com/pages/axonivyag> ∙ Twitter<https://twitter.com/axonivy> ∙ YouTube<https://www.youtube.com/channel/UCkoNcDoeDAVM7FB-txy3jnQ>
