Hi. I noticed recently that the JSESSIONID cookie returned by Shiro does not have the "Secure" attribute set. For example, I see a response that includes something like: Set-Cookie: JSESSIONID=ad239d5c-34c4-49b0-a1d8-c6a5f21f32ae; Path=/; HttpOnly
The "HttpOnly" attribute is set, but not "Secure", to require secure transport. (We are conducting all transport over https already.) See Section 4.1.2.5 after: https://tools.ietf.org/html/rfc6265#section-4.1.2 How can I tell Shiro to include this attribute? I did not see any obvious way to specify this. Thanks. -- View this message in context: http://shiro-user.582556.n2.nabble.com/JSESSIONID-not-Secure-tp7579894.html Sent from the Shiro User mailing list archive at Nabble.com.
