We are using JBOSS 4.2.3 GA version for our application. Recently our security team ran some tests on our application and reported that for the JSESSIONID, the secure attribute is not set. I tried look for possible solutions to fix this, but in vain. Is there a way I can set the secure attribute for the sessionid cookie. FYI all our requests will be over HTTPS however our application is front-ended by an SSL offloading load balancer which uses HTTP. Any help in this regard is really appreciated.
It's working, even if SSLEnabled="false" scheme="http":
JBoss <- http, secure cookie -> load balancer <- https, secure cookie -> browser
Regards from Lublin@Poland