set 'secure' flag to JSESSION id cookie

tomcat6 jsessionid
Mariselvam picture Mariselvam · Sep 27, 2011 · Viewed 8.2k times · Source

I want to set 'secure' flag to JSESSIONID cookie . Is there a configuration in tomcat 6 for this ?

I tried by setting 'secure="true"' in 'Connector' (8080) element of server.xml , but it creates problems ....thats Connection is getting reset .

Note that in my application , the JSESSIONID is getting created in 'http' mode ( index page ) , when the user logins , it will switch into 'https' mode.

Answer

Koray Güclü picture Koray Güclü · Aug 13, 2012

If you are using tomcat 6 you can do the following workaround 

String sessionid = request.getSession().getId();
response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; secure ; HttpOnly");

see https://www.owasp.org/index.php/HttpOnly for more information

Related questions

How to change the port of Tomcat from 8080 to 80?

I want to execute my web app as http://localhost.

Read More
Proxy Error 502 : The proxy server received an invalid response from an upstream server

We are building a mass mailing sending application in Java. Mail is being send by third party SMTP. After sending 400-500 mails tomcat6 service get stopped. Below is the error. Proxy Error The proxy server received an invalid response from …

Read More
Error With Port 8080 already in use

Can anyone help me to solve the following case? I am trying to generate my first web site using java and working with Eclipse Galileo running on Ubuntu 9.10. Since I generate my first lines of code I haven't seen the …

Read More