Mar 21st, 2011, 07:36 PM
We are using spring security 3.0.5-Release.
I have had to create a filter to set the JSESSIONID cookie to secure when the request is secure(HTTPS) and this works when displaying the login page.
After a successful login Spring creates a new Session and a new JSESSIONID cookie this new cookie does not have the secure flag set.
I want to know if it is possible to set this cookie's secure attribute?
Thank you for any feedback.
Mar 22nd, 2011, 11:54 AM
Did you happen to see the FAQ entry on this? In short, the JSESSIONID cookie is created by the container (i.e. Tomcat) so you must consult the containers documentation on how to change this. Typically the cookie will be secure if you were using https when the session was created.