Login/Register
Spring Boot JSESSIONID secure flag not set over HTTPS
Asked Answered
cookiesibm-cloudwebsphere-libertyjsessionidsticky-session
L

0

6

We have build a Cloud Foundry app using Liberty for Java. When testing the app we found that the SSL cookie did not have the secure flag set.

Issue: The JSESSIONID did not have the Secure flag set while the _VCAP_ID had the Secure flag set

We have used Spring Boot to develop the app and according to the documentation we just need to secure the cookie flag in a property file: http://docs.spring.io/spring-boot/docs/current/reference/html/common-application-properties.html

RESOLUTION: We have ended up fixing the issue by following this post Add secure flag to JSESSIONID cookie in spring automatically

Does anyone know if there is an issue with Cloud Foundry or Liberty related to not being able to set the SSL cookie secure flag on both JSESSIONID and _VCAP_ID at the same time over HTTPS?

Lenard answered 16/3, 2017 at 23:30 Comment(1)
I'm confused, after your change, weren't both _VCAP_ID and JSESSIONID cookies secure? Or did your resolution somehow remove the Secure flag from _VCAP_ID? If they're both secure, why ask the question " not being able to set the SSL cookie secure flag on both JSESSIONID and _VCAP_ID at the same time"Gilli

© 2022 - 2024 — McMap. All rights reserved.