On 08/02/2023 12:26, Reto Weiss wrote:
Hi There
I use Tomcat 9.0.68 and the
org.apache.catalina.filters.RemoteIpFilter**Filter behind a NGINX
reverse proxy. On the NGINX I set the http header X-Forwarded-Proto to
https.
If I now make a request with a Browser to the reverse proxy the
JSESSIONID cookie I get back is missing the secure attribute.
I have debugged the RemoteIpFilter the isSecure flag of the wrapper
request it creates is correctly set to true. Unfortunately, the method
getSession() or getSession(Boolean) is forwarded to the wrapped original
request were the isSecure Flag is still not set. Therefore, the
JSESSIONID cookie is missing the secure flag. See
org.apache.catalina.connector.Request method doGetSession and
org.apache.catalina.core.ApplicationSessionCookieConfig method
createSessionCookie.
This seems to be a bug.
As workaround org.apache.catalina.valves.RemoteIpValve can be used,
which seems to handle this correct. Also, the secure flag can be
enforced by setting it in the web.xml.
However, I would like to use RemoteIpFilter because it has some
advantages over the RemoteIpValve or statically setting it in the web.xml.
Should I file an issue for this?
Yes please. Thanks for reporting this.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
