On 29/07/2013 21:31, Jeffrey Janner wrote: > From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com] > Sent: Monday, July 29, 2013 2:29 PM > To: 'Tomcat Users List' > Subject: secure cookies > > Have a client that is wanting us to implement the following in web.xml: > <session-config> > <cookie-config> > <http-only>true</http-only> > <secure>true</secure> > </cookie-config> > </session-config> > But from what I can tell, that's only available in 7+ and we are running at > 6.latest with plans to upgrade. > Found a site that says I can accomplish the same in 6 by setting > useHttpOnly="true" in the context and setting secure="true" in the non-SSL > connector. > I know the former is correct, but the latter seems a stretch. Am I correct > in not trusting that answer?
The web.xml settings are configuring all cookies to use the secure and httpOnly flags. For Tomcat 6, useHttpOnly="true" at the Context level will achieve the first. (OK so far) Setting secure="true" on a HTTP connector is a recipe for a massive security hole. There are some very limited cases where it is the right thing to do but I doubt this is one of them. What that setting will do is tell Tomcat that all connections to that connector are secure and Tomcat will treat them as if they were HTTPS connections and *not* redirect things to real HTTPS if, for example, your webapp has a transport guarantee. The only way I can think to set the secure flag on all cookies for Tomcat 6 is to add a Filter that wraps the response and modifies every cookie added via HttpServletResponse.addCookie() Even then if you have a request that creates a session on an HTTP request I don't think you'll catch that. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
