Not able to make JSESSIONID cookie secure

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Not able to make JSESSIONID cookie secure

Amit Khosla
Hi Team,



As we are looking forward for JSESSIONID to be secure.



We made changes in web.xml in tomcat/conf

   <session-config>

      <cookie-config>

         <http-only>true</http-only>

        <secure>true</secure>

      </cookie-config>

   </session-config>



But even after the changes, we are not able to get the JSESSIONID cookie as
secure.

We also tried changes in web.xml of our application, i.e,
tomcat/webapps/our_app/WEB-INF/web.xml; but still we are not getting it
secure.



Tomcat version we are using is 8.5.53.

We are getting same issue on windows as well as linux machine.



Can you please guide us what can be done as this is required as per
security compliance?



Thanks & Regards

Amit
Reply | Threaded
Open this post in threaded view
|

Re: Not able to make JSESSIONID cookie secure

Darryl Lewis-2
<session-config>
    <cookie-config>
        <http-only>true</http-only>
        <secure>true</secure>
    </cookie-config>
</session-config>

Restart the server.

On 31/12/20, 3:50 pm, "Amit Khosla" <[hidden email]> wrote:

    Hi Team,



    As we are looking forward for JSESSIONID to be secure.



    We made changes in web.xml in tomcat/conf

       <session-config>

          <cookie-config>

             <http-only>true</http-only>

            <secure>true</secure>

          </cookie-config>

       </session-config>



    But even after the changes, we are not able to get the JSESSIONID cookie as
    secure.

    We also tried changes in web.xml of our application, i.e,
    tomcat/webapps/our_app/WEB-INF/web.xml; but still we are not getting it
    secure.



    Tomcat version we are using is 8.5.53.

    We are getting same issue on windows as well as linux machine.



    Can you please guide us what can be done as this is required as per
    security compliance?



    Thanks & Regards

    Amit


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Not able to make JSESSIONID cookie secure

Amit Khosla
Thanks for reply,
we did restarted server while trying. The issue is still there even after
restart.

On Thu, Dec 31, 2020 at 11:14 AM Darryl Lewis <[hidden email]>
wrote:

> <session-config>
>     <cookie-config>
>         <http-only>true</http-only>
>         <secure>true</secure>
>     </cookie-config>
> </session-config>
>
> Restart the server.
>
> On 31/12/20, 3:50 pm, "Amit Khosla" <[hidden email]> wrote:
>
>     Hi Team,
>
>
>
>     As we are looking forward for JSESSIONID to be secure.
>
>
>
>     We made changes in web.xml in tomcat/conf
>
>        <session-config>
>
>           <cookie-config>
>
>              <http-only>true</http-only>
>
>             <secure>true</secure>
>
>           </cookie-config>
>
>        </session-config>
>
>
>
>     But even after the changes, we are not able to get the JSESSIONID
> cookie as
>     secure.
>
>     We also tried changes in web.xml of our application, i.e,
>     tomcat/webapps/our_app/WEB-INF/web.xml; but still we are not getting it
>     secure.
>
>
>
>     Tomcat version we are using is 8.5.53.
>
>     We are getting same issue on windows as well as linux machine.
>
>
>
>     Can you please guide us what can be done as this is required as per
>     security compliance?
>
>
>
>     Thanks & Regards
>
>     Amit
>
>

--
Thanks & Regards
Amit Khosla
Reply | Threaded
Open this post in threaded view
|

Re: Not able to make JSESSIONID cookie secure

Darryl Lewis-2

Did you make the changes to <CATALINA_HOME>/conf/web.xml ? It seems you may have made them just to that specific our_app  application

Are you sure you are testing it correctly?
Can you try https://gf.dev/http-headers-test


On 31/12/20, 8:29 pm, "Amit Khosla" <[hidden email]> wrote:

    Thanks for reply,
    we did restarted server while trying. The issue is still there even after
    restart.

    On Thu, Dec 31, 2020 at 11:14 AM Darryl Lewis <[hidden email]>
    wrote:

    > <session-config>
    >     <cookie-config>
    >         <http-only>true</http-only>
    >         <secure>true</secure>
    >     </cookie-config>
    > </session-config>
    >
    > Restart the server.
    >
    > On 31/12/20, 3:50 pm, "Amit Khosla" <[hidden email]> wrote:
    >
    >     Hi Team,
    >
    >
    >
    >     As we are looking forward for JSESSIONID to be secure.
    >
    >
    >
    >     We made changes in web.xml in tomcat/conf
    >
    >        <session-config>
    >
    >           <cookie-config>
    >
    >              <http-only>true</http-only>
    >
    >             <secure>true</secure>
    >
    >           </cookie-config>
    >
    >        </session-config>
    >
    >
    >
    >     But even after the changes, we are not able to get the JSESSIONID
    > cookie as
    >     secure.
    >
    >     We also tried changes in web.xml of our application, i.e,
    >     tomcat/webapps/our_app/WEB-INF/web.xml; but still we are not getting it
    >     secure.
    >
    >
    >
    >     Tomcat version we are using is 8.5.53.
    >
    >     We are getting same issue on windows as well as linux machine.
    >
    >
    >
    >     Can you please guide us what can be done as this is required as per
    >     security compliance?
    >
    >
    >
    >     Thanks & Regards
    >
    >     Amit
    >
    >

    --
    Thanks & Regards
    Amit Khosla


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Not able to make JSESSIONID cookie secure

Amit Khosla
Thanks for reply!

We did changes in <CATALINA_HOME>/conf/web.xml.
But when the changes did not reflect, we made changes in specific app as
well. But we could not see the cookie as secure.

We verified by the response headers seen in chrome developer tool. The
cookie JSESSIONID does not have a secure flag.

By the way, Happy New Year!

On Thu, Dec 31, 2020 at 5:01 PM Darryl Lewis <[hidden email]>
wrote:

>
> Did you make the changes to <CATALINA_HOME>/conf/web.xml ? It seems you
> may have made them just to that specific our_app  application
>
> Are you sure you are testing it correctly?
> Can you try https://gf.dev/http-headers-test
>
>
> On 31/12/20, 8:29 pm, "Amit Khosla" <[hidden email]> wrote:
>
>     Thanks for reply,
>     we did restarted server while trying. The issue is still there even
> after
>     restart.
>
>     On Thu, Dec 31, 2020 at 11:14 AM Darryl Lewis <
> [hidden email]>
>     wrote:
>
>     > <session-config>
>     >     <cookie-config>
>     >         <http-only>true</http-only>
>     >         <secure>true</secure>
>     >     </cookie-config>
>     > </session-config>
>     >
>     > Restart the server.
>     >
>     > On 31/12/20, 3:50 pm, "Amit Khosla" <[hidden email]>
> wrote:
>     >
>     >     Hi Team,
>     >
>     >
>     >
>     >     As we are looking forward for JSESSIONID to be secure.
>     >
>     >
>     >
>     >     We made changes in web.xml in tomcat/conf
>     >
>     >        <session-config>
>     >
>     >           <cookie-config>
>     >
>     >              <http-only>true</http-only>
>     >
>     >             <secure>true</secure>
>     >
>     >           </cookie-config>
>     >
>     >        </session-config>
>     >
>     >
>     >
>     >     But even after the changes, we are not able to get the JSESSIONID
>     > cookie as
>     >     secure.
>     >
>     >     We also tried changes in web.xml of our application, i.e,
>     >     tomcat/webapps/our_app/WEB-INF/web.xml; but still we are not
> getting it
>     >     secure.
>     >
>     >
>     >
>     >     Tomcat version we are using is 8.5.53.
>     >
>     >     We are getting same issue on windows as well as linux machine.
>     >
>     >
>     >
>     >     Can you please guide us what can be done as this is required as
> per
>     >     security compliance?
>     >
>     >
>     >
>     >     Thanks & Regards
>     >
>     >     Amit
>     >
>     >
>
>     --
>     Thanks & Regards
>     Amit Khosla
>
>

--
Thanks & Regards
Amit Khosla
Reply | Threaded
Open this post in threaded view
|

Re: Not able to make JSESSIONID cookie secure

Amit Khosla
Hi,

We are still facing this issue. Can someone please help us?

Thanks & Regards
Amit

On Fri, Jan 1, 2021 at 8:22 PM Amit Khosla <[hidden email]>
wrote:

> Thanks for reply!
>
> We did changes in <CATALINA_HOME>/conf/web.xml.
> But when the changes did not reflect, we made changes in specific app as
> well. But we could not see the cookie as secure.
>
> We verified by the response headers seen in chrome developer tool. The
> cookie JSESSIONID does not have a secure flag.
>
> By the way, Happy New Year!
>
> On Thu, Dec 31, 2020 at 5:01 PM Darryl Lewis <[hidden email]>
> wrote:
>
>>
>> Did you make the changes to <CATALINA_HOME>/conf/web.xml ? It seems you
>> may have made them just to that specific our_app  application
>>
>> Are you sure you are testing it correctly?
>> Can you try https://gf.dev/http-headers-test
>>
>>
>> On 31/12/20, 8:29 pm, "Amit Khosla" <[hidden email]> wrote:
>>
>>     Thanks for reply,
>>     we did restarted server while trying. The issue is still there even
>> after
>>     restart.
>>
>>     On Thu, Dec 31, 2020 at 11:14 AM Darryl Lewis <
>> [hidden email]>
>>     wrote:
>>
>>     > <session-config>
>>     >     <cookie-config>
>>     >         <http-only>true</http-only>
>>     >         <secure>true</secure>
>>     >     </cookie-config>
>>     > </session-config>
>>     >
>>     > Restart the server.
>>     >
>>     > On 31/12/20, 3:50 pm, "Amit Khosla" <[hidden email]>
>> wrote:
>>     >
>>     >     Hi Team,
>>     >
>>     >
>>     >
>>     >     As we are looking forward for JSESSIONID to be secure.
>>     >
>>     >
>>     >
>>     >     We made changes in web.xml in tomcat/conf
>>     >
>>     >        <session-config>
>>     >
>>     >           <cookie-config>
>>     >
>>     >              <http-only>true</http-only>
>>     >
>>     >             <secure>true</secure>
>>     >
>>     >           </cookie-config>
>>     >
>>     >        </session-config>
>>     >
>>     >
>>     >
>>     >     But even after the changes, we are not able to get the
>> JSESSIONID
>>     > cookie as
>>     >     secure.
>>     >
>>     >     We also tried changes in web.xml of our application, i.e,
>>     >     tomcat/webapps/our_app/WEB-INF/web.xml; but still we are not
>> getting it
>>     >     secure.
>>     >
>>     >
>>     >
>>     >     Tomcat version we are using is 8.5.53.
>>     >
>>     >     We are getting same issue on windows as well as linux machine.
>>     >
>>     >
>>     >
>>     >     Can you please guide us what can be done as this is required as
>> per
>>     >     security compliance?
>>     >
>>     >
>>     >
>>     >     Thanks & Regards
>>     >
>>     >     Amit
>>     >
>>     >
>>
>>     --
>>     Thanks & Regards
>>     Amit Khosla
>>
>>
>
> --
> Thanks & Regards
> Amit Khosla
>


--
Thanks & Regards
Amit Khosla
Ph: 9911797132
Reply | Threaded
Open this post in threaded view
|

Re: Not able to make JSESSIONID cookie secure

Mark Thomas-2
On 04/01/2021 06:02, Amit Khosla wrote:
> Hi,
>
> We are still facing this issue. Can someone please help us?

In a clean 8.5.x install, session cookies are only marked as secure if
the request that triggered the session creation is made over a secure
channel (typically HTTPS).

If you amend the session configuration in $CATALINA_BASE/conf/web.xml from:

<session-config>
    <session-timeout>30</session-timeout>
</session-config>

to

<session-config>
    <session-timeout>30</session-timeout>
    <cookie-config>
        <secure>true</secure>
    </cookie-config>
</session-config>

then session cookies will be generated with the secure flag whether or
not the request that triggered the the session creation was made over a
secure channel.

Reviewing the thread:

Are you sure you are amending the correct web.xml file? One way to check
this is to make a deliberate error in the file and confirm that this
error is reported when Tomcat starts.

Note that you can only use <session-config> once in a web.xml file. If
the web.xml file already contains a <session-config> element you must
add to that existing element.

Configuration in the application's web.xml file will override the global
web.xml file. Make sure that the application's web.xml either does not
specify a value for secure or specifies true.

If you still have issues:
- start with a clean Tomcat 8.5.x install
- confirm that
  http://localhost:8080/examples/servlets/servlet/SessionExample
  generates a set-cookie header without the secure attribute
- stop Tomcat
- close the browser
- amend conf/web.xml as above
- start Tomcat
- confirm that
  http://localhost:8080/examples/servlets/servlet/SessionExample
  generates a set-cookie header with the secure attribute
- retest with your application

You must close the browser between each request you expect to generate a
session cookie to prevent any existing session from being used.

If this test fails then you'll need to check the application source
code. It is possible that the application is overriding your attempts to
make the session cookie secure.

Mark



>
> Thanks & Regards
> Amit
>
> On Fri, Jan 1, 2021 at 8:22 PM Amit Khosla <[hidden email]>
> wrote:
>
>> Thanks for reply!
>>
>> We did changes in <CATALINA_HOME>/conf/web.xml.
>> But when the changes did not reflect, we made changes in specific app as
>> well. But we could not see the cookie as secure.
>>
>> We verified by the response headers seen in chrome developer tool. The
>> cookie JSESSIONID does not have a secure flag.
>>
>> By the way, Happy New Year!
>>
>> On Thu, Dec 31, 2020 at 5:01 PM Darryl Lewis <[hidden email]>
>> wrote:
>>
>>>
>>> Did you make the changes to <CATALINA_HOME>/conf/web.xml ? It seems you
>>> may have made them just to that specific our_app  application
>>>
>>> Are you sure you are testing it correctly?
>>> Can you try https://gf.dev/http-headers-test
>>>
>>>
>>> On 31/12/20, 8:29 pm, "Amit Khosla" <[hidden email]> wrote:
>>>
>>>     Thanks for reply,
>>>     we did restarted server while trying. The issue is still there even
>>> after
>>>     restart.
>>>
>>>     On Thu, Dec 31, 2020 at 11:14 AM Darryl Lewis <
>>> [hidden email]>
>>>     wrote:
>>>
>>>     > <session-config>
>>>     >     <cookie-config>
>>>     >         <http-only>true</http-only>
>>>     >         <secure>true</secure>
>>>     >     </cookie-config>
>>>     > </session-config>
>>>     >
>>>     > Restart the server.
>>>     >
>>>     > On 31/12/20, 3:50 pm, "Amit Khosla" <[hidden email]>
>>> wrote:
>>>     >
>>>     >     Hi Team,
>>>     >
>>>     >
>>>     >
>>>     >     As we are looking forward for JSESSIONID to be secure.
>>>     >
>>>     >
>>>     >
>>>     >     We made changes in web.xml in tomcat/conf
>>>     >
>>>     >        <session-config>
>>>     >
>>>     >           <cookie-config>
>>>     >
>>>     >              <http-only>true</http-only>
>>>     >
>>>     >             <secure>true</secure>
>>>     >
>>>     >           </cookie-config>
>>>     >
>>>     >        </session-config>
>>>     >
>>>     >
>>>     >
>>>     >     But even after the changes, we are not able to get the
>>> JSESSIONID
>>>     > cookie as
>>>     >     secure.
>>>     >
>>>     >     We also tried changes in web.xml of our application, i.e,
>>>     >     tomcat/webapps/our_app/WEB-INF/web.xml; but still we are not
>>> getting it
>>>     >     secure.
>>>     >
>>>     >
>>>     >
>>>     >     Tomcat version we are using is 8.5.53.
>>>     >
>>>     >     We are getting same issue on windows as well as linux machine.
>>>     >
>>>     >
>>>     >
>>>     >     Can you please guide us what can be done as this is required as
>>> per
>>>     >     security compliance?
>>>     >
>>>     >
>>>     >
>>>     >     Thanks & Regards
>>>     >
>>>     >     Amit
>>>     >
>>>     >
>>>
>>>     --
>>>     Thanks & Regards
>>>     Amit Khosla
>>>
>>>
>>
>> --
>> Thanks & Regards
>> Amit Khosla
>>
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Not able to make JSESSIONID cookie secure

Christopher Schultz-2
Mark,

On 1/4/21 03:17, Mark Thomas wrote:

> On 04/01/2021 06:02, Amit Khosla wrote:
>> Hi,
>>
>> We are still facing this issue. Can someone please help us?
>
> In a clean 8.5.x install, session cookies are only marked as secure if
> the request that triggered the session creation is made over a secure
> channel (typically HTTPS).
>
> If you amend the session configuration in $CATALINA_BASE/conf/web.xml from:
>
> <session-config>
>      <session-timeout>30</session-timeout>
> </session-config>
>
> to
>
> <session-config>
>      <session-timeout>30</session-timeout>
>      <cookie-config>
>          <secure>true</secure>
>      </cookie-config>
> </session-config>
>
> then session cookies will be generated with the secure flag whether or
> not the request that triggered the the session creation was made over a
> secure channel.
>
> Reviewing the thread:
>
> Are you sure you are amending the correct web.xml file? One way to check
> this is to make a deliberate error in the file and confirm that this
> error is reported when Tomcat starts.
>
> Note that you can only use <session-config> once in a web.xml file. If
> the web.xml file already contains a <session-config> element you must
> add to that existing element.
>
> Configuration in the application's web.xml file will override the global
> web.xml file. Make sure that the application's web.xml either does not
> specify a value for secure or specifies true.
>
> If you still have issues:
> - start with a clean Tomcat 8.5.x install
> - confirm that
>    http://localhost:8080/examples/servlets/servlet/SessionExample
>    generates a set-cookie header without the secure attribute
> - stop Tomcat
> - close the browser
> - amend conf/web.xml as above
> - start Tomcat
> - confirm that
>    http://localhost:8080/examples/servlets/servlet/SessionExample
>    generates a set-cookie header with the secure attribute
> - retest with your application
>
> You must close the browser between each request you expect to generate a
> session cookie to prevent any existing session from being used.

You may be able to avoid this with either of:

1. "Private" browsing mode: use a new "private" tab/window each time

2. Under developer tools / Storage (you may have to poke around for
this), you should be able to see the cookies for the host and, if
appropriate, delete them.

> If this test fails then you'll need to check the application source
> code. It is possible that the application is overriding your attempts to
> make the session cookie secure.

+1

Other possibilities include a reverse proxy where the client is using
HTTPS to communicate with the proxy, but HTTPS is not being used between
the proxy and the Tomcat server.

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Not able to make JSESSIONID cookie secure

Amit Khosla
Hi,

Thanks for the reply.

We tried the settings on multiple machines. And found that the same
configuration machines gave different results.
We are getting multiple jsessionid cookies being created. In our
application, we have a multi tenant application.
For each tenant we have an nginx running calling the application url.
URL being hit on browser is like
*<TENANAT>.myapp.com <http://myapp.com>*
We are able to see 2 JSESSIONID cookies being generated for this call on
some machines.
1. domain: /myapp  which is having secure flag.
2. domain: /myapp/ which is NOT having secure flag.

Strangely, in most machines, we are finding the second cookie being
generated but the first cookie not generated.
Only when we saw on one of the machines, the first cookie, we found that
the secure jsessionid cookie being generated on that particular environment.

The environment having 2 cookies and the one with one cookie are identical.
Can you please help me fix the creation of the second cookie and also how
to ensure that the first cookie is generated in all environments?


On Tue, Jan 5, 2021 at 1:24 AM Christopher Schultz <
[hidden email]> wrote:

> Mark,
>
> On 1/4/21 03:17, Mark Thomas wrote:
> > On 04/01/2021 06:02, Amit Khosla wrote:
> >> Hi,
> >>
> >> We are still facing this issue. Can someone please help us?
> >
> > In a clean 8.5.x install, session cookies are only marked as secure if
> > the request that triggered the session creation is made over a secure
> > channel (typically HTTPS).
> >
> > If you amend the session configuration in $CATALINA_BASE/conf/web.xml
> from:
> >
> > <session-config>
> >      <session-timeout>30</session-timeout>
> > </session-config>
> >
> > to
> >
> > <session-config>
> >      <session-timeout>30</session-timeout>
> >      <cookie-config>
> >          <secure>true</secure>
> >      </cookie-config>
> > </session-config>
> >
> > then session cookies will be generated with the secure flag whether or
> > not the request that triggered the the session creation was made over a
> > secure channel.
> >
> > Reviewing the thread:
> >
> > Are you sure you are amending the correct web.xml file? One way to check
> > this is to make a deliberate error in the file and confirm that this
> > error is reported when Tomcat starts.
> >
> > Note that you can only use <session-config> once in a web.xml file. If
> > the web.xml file already contains a <session-config> element you must
> > add to that existing element.
> >
> > Configuration in the application's web.xml file will override the global
> > web.xml file. Make sure that the application's web.xml either does not
> > specify a value for secure or specifies true.
> >
> > If you still have issues:
> > - start with a clean Tomcat 8.5.x install
> > - confirm that
> >    http://localhost:8080/examples/servlets/servlet/SessionExample
> >    generates a set-cookie header without the secure attribute
> > - stop Tomcat
> > - close the browser
> > - amend conf/web.xml as above
> > - start Tomcat
> > - confirm that
> >    http://localhost:8080/examples/servlets/servlet/SessionExample
> >    generates a set-cookie header with the secure attribute
> > - retest with your application
> >
> > You must close the browser between each request you expect to generate a
> > session cookie to prevent any existing session from being used.
>
> You may be able to avoid this with either of:
>
> 1. "Private" browsing mode: use a new "private" tab/window each time
>
> 2. Under developer tools / Storage (you may have to poke around for
> this), you should be able to see the cookies for the host and, if
> appropriate, delete them.
>
> > If this test fails then you'll need to check the application source
> > code. It is possible that the application is overriding your attempts to
> > make the session cookie secure.
>
> +1
>
> Other possibilities include a reverse proxy where the client is using
> HTTPS to communicate with the proxy, but HTTPS is not being used between
> the proxy and the Tomcat server.
>
> -chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>

--
Thanks & Regards
Amit Khosla
Reply | Threaded
Open this post in threaded view
|

Re: Not able to make JSESSIONID cookie secure

Martin Grigorov
Hi Amit,

On Wed, Jan 6, 2021 at 11:15 AM Amit Khosla <[hidden email]>
wrote:

> Hi,
>
> Thanks for the reply.
>
> We tried the settings on multiple machines. And found that the same
> configuration machines gave different results.
> We are getting multiple jsessionid cookies being created. In our
> application, we have a multi tenant application.
> For each tenant we have an nginx running calling the application url.
> URL being hit on browser is like
> *<TENANAT>.myapp.com <http://myapp.com>*
> We are able to see 2 JSESSIONID cookies being generated for this call on
> some machines.
> 1. domain: /myapp  which is having secure flag.
> 2. domain: /myapp/ which is NOT having secure flag.
>
> Strangely, in most machines, we are finding the second cookie being
> generated but the first cookie not generated.
> Only when we saw on one of the machines, the first cookie, we found that
> the secure jsessionid cookie being generated on that particular
> environment.
>
> The environment having 2 cookies and the one with one cookie are identical.
> Can you please help me fix the creation of the second cookie and also how
> to ensure that the first cookie is generated in all environments?
>

I think you issue is in Nginx config.
Please test first only with Tomcat and see whether it behaves propertly.
If it does then ask for more help at Nginx forums.
If it doesn't then please explain in more details how exactly you test it,
with configs, urls, etc.


>
>
> On Tue, Jan 5, 2021 at 1:24 AM Christopher Schultz <
> [hidden email]> wrote:
>
> > Mark,
> >
> > On 1/4/21 03:17, Mark Thomas wrote:
> > > On 04/01/2021 06:02, Amit Khosla wrote:
> > >> Hi,
> > >>
> > >> We are still facing this issue. Can someone please help us?
> > >
> > > In a clean 8.5.x install, session cookies are only marked as secure if
> > > the request that triggered the session creation is made over a secure
> > > channel (typically HTTPS).
> > >
> > > If you amend the session configuration in $CATALINA_BASE/conf/web.xml
> > from:
> > >
> > > <session-config>
> > >      <session-timeout>30</session-timeout>
> > > </session-config>
> > >
> > > to
> > >
> > > <session-config>
> > >      <session-timeout>30</session-timeout>
> > >      <cookie-config>
> > >          <secure>true</secure>
> > >      </cookie-config>
> > > </session-config>
> > >
> > > then session cookies will be generated with the secure flag whether or
> > > not the request that triggered the the session creation was made over a
> > > secure channel.
> > >
> > > Reviewing the thread:
> > >
> > > Are you sure you are amending the correct web.xml file? One way to
> check
> > > this is to make a deliberate error in the file and confirm that this
> > > error is reported when Tomcat starts.
> > >
> > > Note that you can only use <session-config> once in a web.xml file. If
> > > the web.xml file already contains a <session-config> element you must
> > > add to that existing element.
> > >
> > > Configuration in the application's web.xml file will override the
> global
> > > web.xml file. Make sure that the application's web.xml either does not
> > > specify a value for secure or specifies true.
> > >
> > > If you still have issues:
> > > - start with a clean Tomcat 8.5.x install
> > > - confirm that
> > >    http://localhost:8080/examples/servlets/servlet/SessionExample
> > >    generates a set-cookie header without the secure attribute
> > > - stop Tomcat
> > > - close the browser
> > > - amend conf/web.xml as above
> > > - start Tomcat
> > > - confirm that
> > >    http://localhost:8080/examples/servlets/servlet/SessionExample
> > >    generates a set-cookie header with the secure attribute
> > > - retest with your application
> > >
> > > You must close the browser between each request you expect to generate
> a
> > > session cookie to prevent any existing session from being used.
> >
> > You may be able to avoid this with either of:
> >
> > 1. "Private" browsing mode: use a new "private" tab/window each time
> >
> > 2. Under developer tools / Storage (you may have to poke around for
> > this), you should be able to see the cookies for the host and, if
> > appropriate, delete them.
> >
> > > If this test fails then you'll need to check the application source
> > > code. It is possible that the application is overriding your attempts
> to
> > > make the session cookie secure.
> >
> > +1
> >
> > Other possibilities include a reverse proxy where the client is using
> > HTTPS to communicate with the proxy, but HTTPS is not being used between
> > the proxy and the Tomcat server.
> >
> > -chris
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [hidden email]
> > For additional commands, e-mail: [hidden email]
> >
> >
>
> --
> Thanks & Regards
> Amit Khosla
>