How to mark JSESSIONID secure in tomcat?
Question
I want to mark my JSESSIONID cookie generated by tomcat(version 8) as secure. im using java 12 ...
So far i have tried
- in tomcat
web.xmlfile, i have added
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
in session-config section
- tried,
cookie.setSecure(true)in myservlet
both not working.. any better solution?
1 answers
solution1
0 2019-07-12 07:19:45
There are 2 flag should be maintain to avoid Session cookies hijacking(HttpOnly, Secure)
Set-Cookie: JSESSIONID=T8zK7hcII6iNgA; Expires=Wed, 21 May 2018 07:28:00 GMT; HttpOnly; Secure
For Servlet 3.0 the configuration as
<session-config>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
</session-config>
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
how to secure jsessionid cookie in tomcat 7 using environment variables
how to set JSESSIONID cookie as secure using Spring security 2 and Apache Tomcat 7 setting
Forcing Tomcat to use secure JSESSIONID cookie over http
How to set SameSite and Secure attribute to JSESSIONID cookie
How to change the delimiter/separator in Tomcat for JSESSIONID and jvmRoute?
How to remove jsessionid from URL in my local Tomcat7 in Eclipse
How frequent does Tomcat rotate JSESSIONID within same session
JSESSIONID is set for both HttpOnly and Secure
Handling jsessionid in custom header (Tomcat 6)
Is it possible to disable jsessionid in tomcat servlet?
Related Tags