1 Reply Latest reply on May 10, 2010 6:42 AM by mariusz.olejnik

How to set secure attribute for jsession cookie?

pradeeppj Jan 19, 2010 1:27 PM

Hello everyone,

We are using JBOSS 4.2.3 GA version for our application. Recently our security team ran some tests on our application and reported that for the JSESSIONID, the secure attribute is not set. I tried look for possible solutions to fix this, but in vain. Is there a way I can set the secure attribute for the sessionid cookie. FYI all our requests will be over HTTPS however our application is front-ended by an SSL offloading load balancer which uses HTTP. Any help in this regard is really appreciated.

Thanks...

1. Re: How to set secure attribute for jsession cookie?

mariusz.olejnik May 10, 2010 6:42 AM (in response to pradeeppj)

server.xml:

<Connector
   ...
   secure="true"
   ...
/>

It's working, even if SSLEnabled="false" scheme="http":
JBoss <- http, secure cookie -> load balancer <- https, secure cookie -> browser

HTH.
Regards from Lublin@Poland
Actions