https://bz.apache.org/bugzilla/show_bug.cgi?id=66471
Bug ID: 66471
Summary: JSessionId secure attribute missing with
RemoteIpFilter and X-Forwarded-Proto set to https
Product: Tomcat 9
Version: 9.0.68
Hardware: PC
Status: NEW
Severity: critical
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: reto.we...@axonivy.com
Target Milestone: -----
I use the org.apache.catalina.filters.RemoteIpFilter Filter behind a NGINX
reverse proxy. On the NGINX I set the http header X-Forwarded-Proto to https.
If I now make a request with a Browser to the reverse proxy the JSESSIONID
cookie I get back is missing the secure attribute.
I have debugged the RemoteIpFilter, the isSecure flag of the wrapper request it
creates, is correctly set to true. Unfortunately, the method getSession() or
getSession(Boolean) is forwarded to the wrapped original request were the
isSecure Flag is still not set. Therefore, the JSESSIONID cookie is missing the
secure flag. See org.apache.catalina.connector.Request method doGetSession and
org.apache.catalina.core.ApplicationSessionCookieConfig method
createSessionCookie.
As workaround org.apache.catalina.valves.RemoteIpValve can be used, which seems
to handle this correct. Also, the secure flag can be enforced by setting it in
the web.xml.
However, I would like to use RemoteIpFilter because it has some advantages over
the RemoteIpValve or statically setting it in the web.xml.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
