Foren
Liferay cookies
Maulin Rathod, geändert vor 15 Jahren.
Liferay cookies
Junior Member Beiträge: 61 Beitrittsdatum: 06.11.08 Neueste Beiträge
Hi,
We want to make cookie secure and httponly to protect cookie. How can we do it?
We want to make cookie secure and httponly to protect cookie. How can we do it?
Samuel Kong, geändert vor 15 Jahren.
RE: Liferay cookies
Liferay Legend Beiträge: 1902 Beitrittsdatum: 10.03.08 Neueste Beiträge
If a user sign in using a https connection, the cookies will automatically be marked secured. To force users to use an https connection, look into one of these properties:
web.server.protocol
main.servlet.https.required
web.server.protocol
main.servlet.https.required
Marcin Radecki, geändert vor 13 Jahren.
RE: Liferay cookies
New Member Beitrag: 1 Beitrittsdatum: 25.10.10 Neueste Beiträge
Hi,
This seems to be an answer to the former part of the question (secure cookie). How about setting a httponly flag on Liferay cookies?
Cheers,
Marcin
This seems to be an answer to the former part of the question (secure cookie). How about setting a httponly flag on Liferay cookies?
Cheers,
Marcin
Jonathan Ross, geändert vor 13 Jahren.
RE: Liferay cookies
New Member Beitrag: 1 Beitrittsdatum: 21.06.10 Neueste Beiträge
I am also interested in setting all cookies to httpOnly. Has anyone found a solution to this?
Jon Cruz, geändert vor 13 Jahren.
RE: Liferay cookies
New Member Beiträge: 21 Beitrittsdatum: 11.11.10 Neueste Beiträge
I'm also interested to see if anyone has come up with a solution.
I've been searching Google for ways of setting it in JBoss/Tomcat or Apache HTTP server as well as "Liferay".
I've found:
http://www.owasp.org/index.php/HttpOnly#Using_Java_to_Set_HttpOnly
It'd be nice if a Liferay dev or support would say "yeah it's possible" or "no it's not possible yet".
Thanks.
I've been searching Google for ways of setting it in JBoss/Tomcat or Apache HTTP server as well as "Liferay".
I've found:
http://www.owasp.org/index.php/HttpOnly#Using_Java_to_Set_HttpOnly
It'd be nice if a Liferay dev or support would say "yeah it's possible" or "no it's not possible yet".
Thanks.
Daniel Dan, geändert vor 12 Jahren.
RE: Liferay cookies
New Member Beiträge: 3 Beitrittsdatum: 19.04.11 Neueste BeiträgeSamuel Kong:
If a user sign in using a https connection, the cookies will automatically be marked secured. To force users to use an https connection, look into one of these properties:
web.server.protocol
main.servlet.https.required
If im currently using https connection, will make some difference to change cookie propertie to HttpOnly?
Thanks in advance
Daniel Dan, geändert vor 12 Jahren.
RE: Liferay cookies
New Member Beiträge: 3 Beitrittsdatum: 19.04.11 Neueste BeiträgeDaniel Dan:
Samuel Kong:If a user sign in using a https connection, the cookies will automatically be marked secured. To force users to use an https connection, look into one of these properties:
web.server.protocol
main.servlet.https.required
If im currently using https connection, will make some difference to change cookie propertie to HttpOnly?
Thanks in advance
Someone can aswer that?
Alireza Zare, geändert vor 11 Jahren.
RE: Liferay cookies
Regular Member Beiträge: 110 Beitrittsdatum: 03.09.10 Neueste Beiträge
Does anyone know how to set HttpOnly and secure cookie flags in Liferay?
Sushil Kumar Saini, geändert vor 11 Jahren.
RE: Liferay cookies
Regular Member Beiträge: 104 Beitrittsdatum: 27.07.11 Neueste Beiträge
Hi Friends,
JSessionId is generated by Application server like tomcat and Jboss etc. That's why to make the JsessionId httpOnly, configuration would be required at app server. In my case I am using tomcat server.
And for tomcat server, following configurations are required in {TOMCAT_HOME}\conf\context.xml file.
<Context useHttpOnly="true" >
Thanks
Sushil Kumar
JSessionId is generated by Application server like tomcat and Jboss etc. That's why to make the JsessionId httpOnly, configuration would be required at app server. In my case I am using tomcat server.
And for tomcat server, following configurations are required in {TOMCAT_HOME}\conf\context.xml file.
<Context useHttpOnly="true" >
Thanks
Sushil Kumar
Ashish Renapurkar, geändert vor 10 Jahren.
RE: Liferay cookies
New Member Beiträge: 23 Beitrittsdatum: 18.01.12 Neueste Beiträge
It will work on firefox but not on ie or chrom.
Ashish Renapurkar, geändert vor 10 Jahren.
RE: Liferay cookies
New Member Beiträge: 23 Beitrittsdatum: 18.01.12 Neueste BeiträgeAshish Renapurkar:
It will work on firefox but not on ie or chrom.
I tried another way to httponly issue, I'll add the HttpOnly cookies.jar and add a filter in web.xml. now I'm not able to login to application, it is showing the "Authentication failed. Please enable browser cookies and try again. "
Any help will be appropriated.
Regards...
Ashish Renapurkar
Harsha Mhaske, geändert vor 10 Jahren.
RE: Liferay cookies
New Member Beiträge: 15 Beitrittsdatum: 26.09.08 Neueste Beiträge
Hi Samuel,
We already have web.server.protocol set to true and the site is on https, but still the vulnerability report says that cookies are not set to secure.
Could you please help.
Regards,
Harsha
We already have web.server.protocol set to true and the site is on https, but still the vulnerability report says that cookies are not set to secure.
Could you please help.
Regards,
Harsha