JSESSIONID not secure by default

Issue

  • The JSESSIONID cookie that comes with Liferay requests in the browser is not secure by default when inspected in the browser.

Environment

  • Liferay DXP 7.3

Resolution

  • Set the JSESSIONID in web.xml to secure:
<session-config>
    <cookie-config>
        <http-only>true</http-only>
        <secure>true</secure>
    </cookie-config>
 </session-config>

Additional Information

  • The JSESSIONID is generated by the Application server and should be set there as secure when you access the App server through HTTPS instead of HTTP because cookies can only be marked as secure when using the HTTPS protocol

  • If the access to the app server didn't go through HTTPS, this configuration is not generated and then needs to be set later in the web.xml. So this is not enabled by default.

¿Fue útil este artículo?
Usuarios a los que les pareció útil: 0 de 0