Foren

Liferay cookies

Maulin Rathod, geändert vor 15 Jahren.

Liferay cookies

Junior Member Beiträge: 61 Beitrittsdatum: 06.11.08 Neueste Beiträge
Hi,

We want to make cookie secure and httponly to protect cookie. How can we do it?
thumbnail
Samuel Kong, geändert vor 15 Jahren.

RE: Liferay cookies

Liferay Legend Beiträge: 1902 Beitrittsdatum: 10.03.08 Neueste Beiträge
If a user sign in using a https connection, the cookies will automatically be marked secured. To force users to use an https connection, look into one of these properties:

web.server.protocol
main.servlet.https.required
Marcin Radecki, geändert vor 13 Jahren.

RE: Liferay cookies

New Member Beitrag: 1 Beitrittsdatum: 25.10.10 Neueste Beiträge
Hi,

This seems to be an answer to the former part of the question (secure cookie). How about setting a httponly flag on Liferay cookies?

Cheers,
Marcin
Jonathan Ross, geändert vor 13 Jahren.

RE: Liferay cookies

New Member Beitrag: 1 Beitrittsdatum: 21.06.10 Neueste Beiträge
I am also interested in setting all cookies to httpOnly. Has anyone found a solution to this?
Jon Cruz, geändert vor 13 Jahren.

RE: Liferay cookies

New Member Beiträge: 21 Beitrittsdatum: 11.11.10 Neueste Beiträge
I'm also interested to see if anyone has come up with a solution.

I've been searching Google for ways of setting it in JBoss/Tomcat or Apache HTTP server as well as "Liferay".

I've found:

http://www.owasp.org/index.php/HttpOnly#Using_Java_to_Set_HttpOnly


It'd be nice if a Liferay dev or support would say "yeah it's possible" or "no it's not possible yet".

Thanks.
Daniel Dan, geändert vor 12 Jahren.

RE: Liferay cookies

New Member Beiträge: 3 Beitrittsdatum: 19.04.11 Neueste Beiträge
Samuel Kong:
If a user sign in using a https connection, the cookies will automatically be marked secured. To force users to use an https connection, look into one of these properties:

web.server.protocol
main.servlet.https.required



If im currently using https connection, will make some difference to change cookie propertie to HttpOnly?

Thanks in advance
Daniel Dan, geändert vor 12 Jahren.

RE: Liferay cookies

New Member Beiträge: 3 Beitrittsdatum: 19.04.11 Neueste Beiträge
Daniel Dan:
Samuel Kong:
If a user sign in using a https connection, the cookies will automatically be marked secured. To force users to use an https connection, look into one of these properties:

web.server.protocol
main.servlet.https.required



If im currently using https connection, will make some difference to change cookie propertie to HttpOnly?

Thanks in advance


Someone can aswer that?
thumbnail
Alireza Zare, geändert vor 11 Jahren.

RE: Liferay cookies

Regular Member Beiträge: 110 Beitrittsdatum: 03.09.10 Neueste Beiträge
Does anyone know how to set HttpOnly and secure cookie flags in Liferay?
thumbnail
Sushil Kumar Saini, geändert vor 11 Jahren.

RE: Liferay cookies

Regular Member Beiträge: 104 Beitrittsdatum: 27.07.11 Neueste Beiträge
Hi Friends,

JSessionId is generated by Application server like tomcat and Jboss etc. That's why to make the JsessionId httpOnly, configuration would be required at app server. In my case I am using tomcat server.

And for tomcat server, following configurations are required in {TOMCAT_HOME}\conf\context.xml file.
<Context useHttpOnly="true" >

Thanks
Sushil Kumar
thumbnail
Ashish Renapurkar, geändert vor 10 Jahren.

RE: Liferay cookies

New Member Beiträge: 23 Beitrittsdatum: 18.01.12 Neueste Beiträge
It will work on firefox but not on ie or chrom.
thumbnail
Ashish Renapurkar, geändert vor 10 Jahren.

RE: Liferay cookies

New Member Beiträge: 23 Beitrittsdatum: 18.01.12 Neueste Beiträge
Ashish Renapurkar:
It will work on firefox but not on ie or chrom.


I tried another way to httponly issue, I'll add the HttpOnly cookies.jar and add a filter in web.xml. now I'm not able to login to application, it is showing the "Authentication failed. Please enable browser cookies and try again. "

Any help will be appropriated.

Regards...
Ashish Renapurkar
Harsha Mhaske, geändert vor 10 Jahren.

RE: Liferay cookies

New Member Beiträge: 15 Beitrittsdatum: 26.09.08 Neueste Beiträge
Hi Samuel,

We already have web.server.protocol set to true and the site is on https, but still the vulnerability report says that cookies are not set to secure.

Could you please help.

Regards,
Harsha