- The JSESSIONID cookie that comes with Liferay requests in the browser is not secure by default when inspected in the browser.
- Liferay DXP 7.3
- Set the JSESSIONID in web.xml to secure:
<session-config> <cookie-config> <http-only>true</http-only> <secure>true</secure> </cookie-config> </session-config>
If the access to the app server didn't go through HTTPS, this configuration is not generated and then needs to be set later in the web.xml. So this is not enabled by default.