HttpOnly flag in JSESSIONID cookie using JBOSS application server

Issue

  • JSESSIONID cookie does not contain the HttpOnly flag.Screen_Shot_2020-08-12_at_10.04.27.png

Environment

  • Liferay Portal 6.2
  • JBOSS

Resolution

  • You need to change it on your application server configuration, in the [jboss_home]\standalone\deployments\ROOT.war\WEB-INF\web.xml, as below:
    <session-config>
        <cookie-config>
          <http-only>true</http-only>
        </cookie-config>
        <tracking-mode>COOKIE</tracking-mode>
      </session-config>
    </web-app>
  • Even it being an Application server configuration, we can help you out in canse you do not want to change that. Just request a hotfix with the LPP-17644 internal fix and our support team will do the rest. 

Additional Information

 

这篇文章有帮助吗?
0 人中有 0 人觉得有帮助