Hi All,
This problem is regarding cookie security over SSL(https). We are running a J2EE webapplication, our motive is to get the cookie's "isSecure" flag set to true. We tried researching around the resin config settings for this but no luck. Details of the approach we tried and the issue faced are elaborated below. Enviornment Details ==================== 1. Resin 3.1.7 server running a webapplication called "tool" 2. Apache is in the front forwarding/redirecting all inbound traffic to the resin server. 3. Apache is setup with trusted SSL certificates from godaddy. Problem Details ================ By default for all secure https requests, resin is sending cookies back with "isSecure" flag as false. We tried looking for resin config settings to fix this, but can't find any setting. So we created a Servlet filter in our webapp to trap all inbound requests and manually set the isSecure flag to true. This servlet filter approach partially fixed the problem. We are saying partially because there are two cookies created by the application in browser. Cookie 1: Its path is "<domain name>/" and the isSecure flag is "false" Cookie 2: Its path is "<domain name>/tools" and the isSecure flag is "true" So Cookie 2 is as expected, but Cookie 1 is not coming secured, to fix this we tried deploying the same servlet filter in the ROOT webapp of resin. But the problem persisted as before. Here is the servlet filter code. public class CookieFilter implements Filter { public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws ServletException, IOException { // Secure if its a Http based request if (req instanceof HttpServletRequest) { HttpServletRequest httpReq = (HttpServletRequest) req; HttpServletResponse httpRes = (HttpServletResponse) res; Cookie[] cookies = httpReq.getCookies(); if (cookies != null && cookies.length > 0) { for (Cookie cookie : cookies) { // Make the cookie secure cookie.setSecure(true); // Add it to the response httpRes.addCookie(cookie); } } } chain.doFilter(req, res); } public void init(FilterConfig arg0) throws ServletException { } public void destroy() { } } Please suggest. Regards, Abhinav
_______________________________________________ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest