Win a copy of Murach's Python Programming this week in the Jython/Python forum!
    Bookmark Topic Watch Topic
  • New Topic

How to mark container generated session cookie as secure without turning on SSL?  RSS feed

 
Gaurav Lodha
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
  • Report post to moderator
My application is hosted by container behind a firewall, firewall is enforcing SSL but container is not aware of it. Security scan for application pointed that session cookies that are exchanged between client and server are not marked as secure. Can I marked cookies as secure with making any changes on container?

I have tried following options -

1. Implemented a filter and passed a wrapper
Overridden addCookie, setHeader and addHeader methods in wrapper. None of the methods in the wrapper gets called when request.getSession is invoked.

These methods are getting called when I attempt to add cookie or set a header in the response, so it is clear that wrapper is working correct

2. Function call containsHeader("Set-Cookie") return false after invoking request.getSession()

3. Created a cookie (JSESSIONID, "sessionidvalue"), marked it as secure and added to response. Still the request coming from client has a JSESSIONID cookie which is not secure.

I am using OAS 10.1.2 as container. Is there any configuration file at server which can set cookies as secure only?

Any suggestions are appreciated.

Thanks
Gaurav
 
Ulf Dittmer
Rancher
Posts: 42970
73
  • Mark post as helpful
  • send pies
  • Report post to moderator
Please do not post the same question to multiple forums: CarefullyChooseOneForum

Let's continue the discussion in this duplicate thread.
 
    Bookmark Topic Watch Topic
  • New Topic
Boost this thread!