Configuring Cookies' httpOnly Status


By default, the Liferay platform sets all of its cookies to httpOnly true in its file (Liferay 6.2 and earlier) or in its (starting with Liferay 7.0) files.

    # HTTP only cookies are not supposed to be exposed to client-side scripting
    # code, and may therefore help mitigate certain kinds of cross-site
    # scripting attacks. Input a list of comma delimited cookie names that are
    # not HTTP only.


If you want to exclude certain cookies from being httpOnly true and make them httpOnly false, then you can list them by name using the aforementioned property in a file. Place the file in your deployed Liferay war's /WEB-INF/classes directory, and then restart Liferay. You can find your Liferay's /WEB-INF/classes wherever it has been deployed in your application server. If you are using Tomcat for example, it would be located in tomcat-{version} /webapps/ROOT/WEB-INF/classes.

To verify if the property is being read, go to Control Panel > Server Administration > Properties and search for the property you added.

Additional Information

1 人中有 0 人觉得有帮助