Question on setting secure cookie!

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Question on setting secure cookie!

Kuga
This post was updated on .
Hi,
We are trying to address CSRF issue and one of that is to mark the cookie secure.
We are using Jetty 6.1.15, and do the following in JettyCustomizer:

public class ExtJettyCustomizer extends JettyCustomizer {
        public Object customizeContext(Object context, Dictionary settings) {
                Context httpContext = (Context)context;
                if(httpContext.getSessionHandler() != null){
                        final SessionHandler sessionHandler = httpContext.getSessionHandler();
                        if(sessionHandler.getSessionManager() instanceof AbstractSessionManager){
                                AbstractSessionManager sessionManager = (AbstractSessionManager)sessionHandler.getSessionManager();
                                sessionManager.setHttpOnly(true);
                                sessionManager.setSecureCookies(true);
                        }
                       
             return super.customizeContext(httpContext, settings);
      }
}

Despite setting the setSecureCookies(true) on the AbstractSessionManager, when observing the JSessionId cookie, its secure flag is not set.

NOTE: We are using HTTPS Apache, proxy to HTTP Jetty, I understand, that this is the reason the secure flag is not set. If I need to do it in Apache, can anyone let me know the way to configure this setting in Apache?

Is there any additional setting we need to do to ensure this.

Thanks
Kuga