Results 1 to 2 of 2

Thread: JsessionID Cookie

  1. Mar 21st, 2011, 07:36 PM #1
    jhefer
    jhefer is offline Junior Member
    Join Date
    Nov 2009
    Posts
    1

    Default JsessionID Cookie

    We are using spring security 3.0.5-Release.

    I have had to create a filter to set the JSESSIONID cookie to secure when the request is secure(HTTPS) and this works when displaying the login page.

    After a successful login Spring creates a new Session and a new JSESSIONID cookie this new cookie does not have the secure flag set.
    I want to know if it is possible to set this cookie's secure attribute?

    Thank you for any feedback.
    Reply With Quote Reply With Quote
  2. Mar 22nd, 2011, 11:54 AM #2
    Rob Winch
    Rob Winch is offline Senior Member Spring Team
    Join Date
    Jan 2008
    Posts
    1,826

    Default

    Did you happen to see the FAQ entry on this? In short, the JSESSIONID cookie is created by the container (i.e. Tomcat) so you must consult the containers documentation on how to change this. Typically the cookie will be secure if you were using https when the session was created.
    Rob Winch - @rob_winch
    Spring Security Lead
    Pivotal
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules