https://bz.apache.org/bugzilla/show_bug.cgi?id=66471
Bug ID: 66471 Summary: JSessionId secure attribute missing with RemoteIpFilter and X-Forwarded-Proto set to https Product: Tomcat 9 Version: 9.0.68 Hardware: PC Status: NEW Severity: critical Priority: P2 Component: Catalina Assignee: dev@tomcat.apache.org Reporter: reto.we...@axonivy.com Target Milestone: ----- I use the org.apache.catalina.filters.RemoteIpFilter Filter behind a NGINX reverse proxy. On the NGINX I set the http header X-Forwarded-Proto to https. If I now make a request with a Browser to the reverse proxy the JSESSIONID cookie I get back is missing the secure attribute. I have debugged the RemoteIpFilter, the isSecure flag of the wrapper request it creates, is correctly set to true. Unfortunately, the method getSession() or getSession(Boolean) is forwarded to the wrapped original request were the isSecure Flag is still not set. Therefore, the JSESSIONID cookie is missing the secure flag. See org.apache.catalina.connector.Request method doGetSession and org.apache.catalina.core.ApplicationSessionCookieConfig method createSessionCookie. As workaround org.apache.catalina.valves.RemoteIpValve can be used, which seems to handle this correct. Also, the secure flag can be enforced by setting it in the web.xml. However, I would like to use RemoteIpFilter because it has some advantages over the RemoteIpValve or statically setting it in the web.xml. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org