Configuring Cookies' httpOnly Status

Description

By default, the Liferay platform sets all of its cookies to httpOnly true in its portal.properties file (Liferay 6.2 and earlier) or in its system.properties (starting with Liferay 7.0) files.

    #
    # HTTP only cookies are not supposed to be exposed to client-side scripting
    # code, and may therefore help mitigate certain kinds of cross-site
    # scripting attacks. Input a list of comma delimited cookie names that are
    # not HTTP only.
    #
    cookie.http.only.names.excludes=

Resolution

If you want to exclude certain cookies from being httpOnly true and make them httpOnly false, then you can list them by name using the aforementioned property in a system-ext.properties file. Place the system-ext.properties file in your deployed Liferay war's /WEB-INF/classes directory, and then restart Liferay. You can find your Liferay's /WEB-INF/classes wherever it has been deployed in your application server. If you are using Tomcat for example, it would be located in tomcat-{version} /webapps/ROOT/WEB-INF/classes.

To verify if the property is being read, go to Control Panel > Server Administration > Properties and search for the property you added.

Additional Information

这篇文章有帮助吗?
1 人中有 0 人觉得有帮助