I think you need to make sure you are using an SSL connection (request.isSecure()) before you create the Cookies in the first place. The behaviour when changing a non-secure cookie to a secure one may be browser dependant.// // </Mattias> // //Abhinav Gupta wrote (2009-09-10 14:34): > Thanks Jeff, > > But we are creating no cookies by our own. Our requirement is to just > secure the Apache OR Resin created Cookies for session management. > So we created a generic filter for that. > > Regards, > Abhinav > > > [Resin-interest] Cookie security over SSL (https) connections > <http://maillist.caucho.com/pipermail/resin-interest/2009-September/004027.html> > > > [Resin-interest] Cookie security over SSL (https) connections > > *Jeff Schnitzer* jeff at infohazard.org > <mailto:resin-interest%40caucho.com?Subject=%5BResin-interest%5D%20Cookie%20security%20over%20SSL%20%28https%29%20connections&In-Reply-To=915837840909090344ye834f35t23cbd41bd44c423b%40mail.gmail.com> > /Wed Sep 9 09:30:32 CDT 2009/ > > * Previous message: [Resin-interest] Cookie security over SSL > (https) connections > > <http://maillist.caucho.com/pipermail/resin-interest/2009-September/004026.html> > * *Messages sorted by:* [ date ] > > <http://maillist.caucho.com/pipermail/resin-interest/2009-September/date.html#4027> > [ thread ] > > <http://maillist.caucho.com/pipermail/resin-interest/2009-September/thread.html#4027> > [ subject ] > > <http://maillist.caucho.com/pipermail/resin-interest/2009-September/subject.html#4027> > [ author ] > > <http://maillist.caucho.com/pipermail/resin-interest/2009-September/author.html#4027> > > > ------------------------------------------------------------------------ > Why aren't you creating the cookies with setSecure(true) in the first place? > > If you have tons of legacy code that sets cookies, why not create a > Filter that wraps HttpServletResponse (there is a convenient > > HttpServletResponseWrapper for this), intercepts the addCookie() > method calls, and calls setSecure(true)? > > If you want this value set, you need to set it outbound, not after > they've already been to the browser. > > > Jeff > > On Wed, Sep 9, 2009 at 3:44 AM, Abhinav Gupta<abhinav at appirio.com > <http://maillist.caucho.com/mailman/listinfo/resin-interest>> wrote: > >/ Hi All, > />/ > > />/ > />/ This problem is regarding cookie security over SSL(https). We are running > a > />/ J2EE webapplication, our motive is to get the cookie's "isSecure" flag set > />/ to true. We tried researching around the resin config settings for this > but > > />/ no luck. Details of the approach we tried and the issue faced are > elaborated > />/ below. > />/ > />/ Enviornment Details > />/ ==================== > />/ 1. Resin 3.1.7 server running a webapplication called "tool" > > />/ 2. Apache is in the front forwarding/redirecting all inbound traffic to > the > />/ resin server. > />/ 3. Apache is setup with trusted SSL certificates from godaddy. > />/ > />/ > > />/ Problem Details > />/ ================ > />/ By default for all secure https requests, resin is sending cookies back > with > />/ "isSecure" flag as false. > />/ We tried looking for resin config settings to fix this, but can't find any > > />/ setting. So we created a Servlet filter in our webapp > />/ to trap all inbound requests and manually set the isSecure flag to true. > />/ > />/ This servlet filter approach partially fixed the problem. We are saying > > />/ partially because there are two cookies created by > />/ the application in browser. > />/ > />/ Cookie 1: Its path is "<domain name>/" and the isSecure flag is "false" > > />/ Cookie 2: Its path is "<domain name>/tools" and the isSecure flag is > "true" > />/ > />/ So Cookie 2 is as expected, but Cookie 1 is not coming secured, to fix > this > > />/ we tried deploying the same servlet filter in the ROOT webapp of resin. > But > />/ the problem persisted as before. > />/ > />/ > />/ Here is the servlet filter code. > />/ > > />/ public class CookieFilter implements Filter { > />/ > />/ public void doFilter(ServletRequest req, ServletResponse res, > />/ FilterChain chain) throws ServletException, IOException { > > />/ // Secure if its a Http based request > />/ if (req instanceof HttpServletRequest) { > />/ HttpServletRequest httpReq = (HttpServletRequest) req; > />/ HttpServletResponse httpRes = (HttpServletResponse) res; > > />/ Cookie[] cookies = httpReq.getCookies(); > />/ if (cookies != null && cookies.length > 0) { > />/ for (Cookie cookie : cookies) { > />/ // Make the cookie secure > > />/ cookie.setSecure(true); > />/ // Add it to the response > />/ httpRes.addCookie(cookie); > />/ } > />/ } > > />/ } > />/ chain.doFilter(req, res); > />/ } > />/ > />/ public void init(FilterConfig arg0) throws ServletException { > />/ } > />/ > > />/ public void destroy() { > />/ } > />/ > />/ } > />/ > />/ Please suggest. > />/ > />/ Regards, > />/ Abhinav > />
_______________________________________________ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest
