Re: Not able to make JSESSIONID cookie secure
Thanks for reply! We did changes in /conf/web.xml. But when the changes did not reflect, we made changes in specific app as well. But we could not see the cookie as secure. We verified by the response headers seen in chrome developer tool. The cookie JSESSIONID does not have a secure flag. By the way, Happy New Year! On Thu, Dec 31, 2020 at 5:01 PM Darryl Lewis wrote: > > Did you make the changes to /conf/web.xml ? It seems you > may have made them just to that specific our_app application > > Are you sure you are testing it correctly? > Can you try https://gf.dev/http-headers-test > > > On 31/12/20, 8:29 pm, "Amit Khosla" wrote: > > Thanks for reply, > we did restarted server while trying. The issue is still there even > after > restart. > > On Thu, Dec 31, 2020 at 11:14 AM Darryl Lewis < > darryl.le...@unsw.edu.au> > wrote: > > > > > > > true > > true > > > > > > > > Restart the server. > > > > On 31/12/20, 3:50 pm, "Amit Khosla" > wrote: > > > > Hi Team, > > > > > > > > As we are looking forward for JSESSIONID to be secure. > > > > > > > > We made changes in web.xml in tomcat/conf > > > > > > > > > > > > true > > > > true > > > > > > > > > > > > > > > > But even after the changes, we are not able to get the JSESSIONID > > cookie as > > secure. > > > > We also tried changes in web.xml of our application, i.e, > > tomcat/webapps/our_app/WEB-INF/web.xml; but still we are not > getting it > > secure. > > > > > > > > Tomcat version we are using is 8.5.53. > > > > We are getting same issue on windows as well as linux machine. > > > > > > > > Can you please guide us what can be done as this is required as > per > > security compliance? > > > > > > > > Thanks & Regards > > > > Amit > > > > > > -- > Thanks & Regards > Amit Khosla > > -- Thanks & Regards Amit Khosla
Re: Tomcat 9 - failed to set property [packetSize]
Thanks Mark! It works fine after removing packetSize. On Fri, 1 Jan 2021, 3:18 pm Mark Thomas, wrote: > You have only changed the packet size on the Tomcat side of the > connection. The httpd side is still using 8192. That will work up until > the point where Tomcat needs to return a response bigger than 8192 > bytes. At which point it will fail. I suspect the response in the Tomcat > 8 case was just less than 8192 bytes whereas in Tomcat 9 something made > it just over 8192 bytes. > > You must configure the same packet size for both httpd and Tomcat. > > You can either: > - remove the packetSize attribute from the Tomcat Connector > or > - set ProxyIOBufferSize 65536 in httpd.conf > > Mark > > > On 01/01/2021 08:07, valsaraj pv wrote: > > Here is the configuration details: > > > > Apache: > > > >> ProxyPass /app ajp://:8009/app retry=0 ttl=6000 > >> ProxyPassReverse /app ajp://:8009/app > >> ProxyPreserveHost On > >> ProxyRequests Off > >> UseCanonicalName On > >> Timeout 1200 > >> ProxyTimeout 1200 > > > > > > Tomcat 9: > > > >> >> packetSize="65536" > >> connectionTimeout="6" maxThreads="500" secretRequired="false" > >> redirectPort="8443" enableLookups="false"/> > > > > > > Tomcat 8: > > > >> >> emptySessionPath="true" > >> enableLookups="false" maxThreads="500" packetSize="65536" > >> port="8009" protocol="AJP/1.3" redirectPort="8443"/> > > > > > > Following error in Tomcat 9 when packetSize="65536" added: > > > >> ERROR [ErrorPageFilter] Cannot forward to error page for request > >> [/app/list] as the response has already been committed. As a result, the > >> response may have the wrong status code. If your application is running > on > >> WebSphere Application Server you may be able to resolve this problem by > >> setting com.ibm.ws.webcontainer.invokeFlushAfterService to false > >> org.apache.catalina.connector.ClientAbortException: java.io.IOException: > >> Connection reset by peer > > > > > > Thanks! > > > > On Thu, Dec 31, 2020 at 9:49 PM Mark Thomas wrote: > > > >> On 31/12/2020 16:05, valsaraj pv wrote: > >>> Thanks for your reply Mark. > >>> > >>> Is packetSize property still available in http connector? I got this > >>> warning when I added in it. > >> > >> That property has never been valid for an HTTP Connector for any Tomcat > >> version. > >> > >>> It is possible to add this property in ajp connector but when I access > >> via > >>> Apache proxy, it shows connection closed. When this attribute is > removed > >>> all works fine. But this behaviour is different from Tomcat 8, where > this > >>> property worked fine with the same front end Apache proxy. Any > >>> pointers would be appreciated. > >> > >> You'll need to provide your full proxy configuration from httpd and the > >> full element(s) from Tomcat for us to be able to help you. > >> > >> Kind regards, > >> > >> Mark > >> > >> > >>> > >>> Thank you very much! > >>> > >>> > >>> On Thu, 31 Dec 2020, 9:05 pm Mark Thomas, wrote: > >>> > On 31/12/2020 11:06, valsaraj pv wrote: > > Hi, > > > > WARNING [main] > org.apache.tomcat.util.digester.SetPropertiesRule.begin > >> Match [Server/Service/Connector] failed to set property [packetSize] > >> to > >> [65536] > > > > I see this warning when migrating from Tomcat 8 to 9 on JDK 8. The > warning > > went away when packetSize="65536" property removed. > > > > How to set this in Tomcat 9? > > packetSize is a valid attribute for the AJP Connectors in Tomcat 9. > > Please provide the full content of the Connector element exhibiting > the > issue. > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > >>> > >> > >> > >> - > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: Tomcat 9 - failed to set property [packetSize]
You have only changed the packet size on the Tomcat side of the connection. The httpd side is still using 8192. That will work up until the point where Tomcat needs to return a response bigger than 8192 bytes. At which point it will fail. I suspect the response in the Tomcat 8 case was just less than 8192 bytes whereas in Tomcat 9 something made it just over 8192 bytes. You must configure the same packet size for both httpd and Tomcat. You can either: - remove the packetSize attribute from the Tomcat Connector or - set ProxyIOBufferSize 65536 in httpd.conf Mark On 01/01/2021 08:07, valsaraj pv wrote: > Here is the configuration details: > > Apache: > >> ProxyPass /app ajp://:8009/app retry=0 ttl=6000 >> ProxyPassReverse /app ajp://:8009/app >> ProxyPreserveHost On >> ProxyRequests Off >> UseCanonicalName On >> Timeout 1200 >> ProxyTimeout 1200 > > > Tomcat 9: > >> > packetSize="65536" >> connectionTimeout="6" maxThreads="500" secretRequired="false" >> redirectPort="8443" enableLookups="false"/> > > > Tomcat 8: > >> > emptySessionPath="true" >> enableLookups="false" maxThreads="500" packetSize="65536" >> port="8009" protocol="AJP/1.3" redirectPort="8443"/> > > > Following error in Tomcat 9 when packetSize="65536" added: > >> ERROR [ErrorPageFilter] Cannot forward to error page for request >> [/app/list] as the response has already been committed. As a result, the >> response may have the wrong status code. If your application is running on >> WebSphere Application Server you may be able to resolve this problem by >> setting com.ibm.ws.webcontainer.invokeFlushAfterService to false >> org.apache.catalina.connector.ClientAbortException: java.io.IOException: >> Connection reset by peer > > > Thanks! > > On Thu, Dec 31, 2020 at 9:49 PM Mark Thomas wrote: > >> On 31/12/2020 16:05, valsaraj pv wrote: >>> Thanks for your reply Mark. >>> >>> Is packetSize property still available in http connector? I got this >>> warning when I added in it. >> >> That property has never been valid for an HTTP Connector for any Tomcat >> version. >> >>> It is possible to add this property in ajp connector but when I access >> via >>> Apache proxy, it shows connection closed. When this attribute is removed >>> all works fine. But this behaviour is different from Tomcat 8, where this >>> property worked fine with the same front end Apache proxy. Any >>> pointers would be appreciated. >> >> You'll need to provide your full proxy configuration from httpd and the >> full element(s) from Tomcat for us to be able to help you. >> >> Kind regards, >> >> Mark >> >> >>> >>> Thank you very much! >>> >>> >>> On Thu, 31 Dec 2020, 9:05 pm Mark Thomas, wrote: >>> On 31/12/2020 11:06, valsaraj pv wrote: > Hi, > > WARNING [main] org.apache.tomcat.util.digester.SetPropertiesRule.begin >> Match [Server/Service/Connector] failed to set property [packetSize] >> to >> [65536] > > I see this warning when migrating from Tomcat 8 to 9 on JDK 8. The warning > went away when packetSize="65536" property removed. > > How to set this in Tomcat 9? packetSize is a valid attribute for the AJP Connectors in Tomcat 9. Please provide the full content of the Connector element exhibiting the issue. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org >>> >> >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 9 - failed to set property [packetSize]
Here is the configuration details: Apache: > ProxyPass /app ajp://:8009/app retry=0 ttl=6000 > ProxyPassReverse /app ajp://:8009/app > ProxyPreserveHost On > ProxyRequests Off > UseCanonicalName On > Timeout 1200 > ProxyTimeout 1200 Tomcat 9: > packetSize="65536" > connectionTimeout="6" maxThreads="500" secretRequired="false" > redirectPort="8443" enableLookups="false"/> Tomcat 8: > emptySessionPath="true" > enableLookups="false" maxThreads="500" packetSize="65536" > port="8009" protocol="AJP/1.3" redirectPort="8443"/> Following error in Tomcat 9 when packetSize="65536" added: > ERROR [ErrorPageFilter] Cannot forward to error page for request > [/app/list] as the response has already been committed. As a result, the > response may have the wrong status code. If your application is running on > WebSphere Application Server you may be able to resolve this problem by > setting com.ibm.ws.webcontainer.invokeFlushAfterService to false > org.apache.catalina.connector.ClientAbortException: java.io.IOException: > Connection reset by peer Thanks! On Thu, Dec 31, 2020 at 9:49 PM Mark Thomas wrote: > On 31/12/2020 16:05, valsaraj pv wrote: > > Thanks for your reply Mark. > > > > Is packetSize property still available in http connector? I got this > > warning when I added in it. > > That property has never been valid for an HTTP Connector for any Tomcat > version. > > > It is possible to add this property in ajp connector but when I access > via > > Apache proxy, it shows connection closed. When this attribute is removed > > all works fine. But this behaviour is different from Tomcat 8, where this > > property worked fine with the same front end Apache proxy. Any > > pointers would be appreciated. > > You'll need to provide your full proxy configuration from httpd and the > full element(s) from Tomcat for us to be able to help you. > > Kind regards, > > Mark > > > > > > Thank you very much! > > > > > > On Thu, 31 Dec 2020, 9:05 pm Mark Thomas, wrote: > > > >> On 31/12/2020 11:06, valsaraj pv wrote: > >>> Hi, > >>> > >>> WARNING [main] org.apache.tomcat.util.digester.SetPropertiesRule.begin > Match [Server/Service/Connector] failed to set property [packetSize] > to > [65536] > >>> > >>> I see this warning when migrating from Tomcat 8 to 9 on JDK 8. The > >> warning > >>> went away when packetSize="65536" property removed. > >>> > >>> How to set this in Tomcat 9? > >> > >> packetSize is a valid attribute for the AJP Connectors in Tomcat 9. > >> > >> Please provide the full content of the Connector element exhibiting the > >> issue. > >> > >> Mark > >> > >> - > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- Life is like this: "Just when we get all the answers of life God changes the question paper Valsaraj Viswanathan
