1 Reply Latest reply on Sep 15, 2015 10:31 PM by sudiptasarkar

    JBoss EAP 6.4(JBoss AS 7.5) httponly and secure flag

    mayuran19

      Hi Experts,

       

      We are trying to move our applications deployed in tomcat to JBoss EAP.

      We have managed to deploy our applications and able to bring it up without much issue, but after we tried to login to our web based system, when we click any other links, session is terminating unexpectedly.

      We have done some research and found the following setting in the web.xml is causing this session termination issue

       

      <session-config>

          <session-timeout>15</session-timeout>

          <cookie-config>

              <http-only>true</http-only>

              <secure>true</secure>

          </cookie-config>

      </session-config>

       

      when we comment out the <cookie-config> setting in the web.xml, we are able to use it without any issue.

       

      Now the question is, why when adding the above config into web.xml, jboss is terminating the session?

      The following code is returning null when using the above session config

       

      request.getSession(false).getAttribute("user") => null when "http-only" and "secure" flag is used?

       

      Can anyone enlighten us on this issue?

       

      Regards,

      Mayuran