Hi!

Have you tried using ssl-session-cookie configuration?

Here's the documentation:

http://caucho.com/resin-3.1/doc/cluster-tags.xtp#ssl-session-cookie


Cheers,
Kai


2009/9/9 Abhinav Gupta <abhi...@appirio.com>:
> Hi All,
>
>
> This problem is regarding cookie security over SSL(https). We are running a
> J2EE webapplication, our motive is to get the cookie's "isSecure" flag set
> to true. We tried researching around the resin config settings for this but
> no luck. Details of the approach we tried and the issue faced are elaborated
> below.
>
> Enviornment Details
> ====================
> 1. Resin 3.1.7 server running a webapplication called "tool"
> 2. Apache is in the front forwarding/redirecting all inbound traffic to the
> resin server.
> 3. Apache is setup with trusted SSL certificates from godaddy.
>
>
> Problem Details
> ================
> By default for all secure https requests, resin is sending cookies back with
> "isSecure" flag as false.
> We tried looking for resin config settings to fix this, but can't find any
> setting. So we created a Servlet filter in our webapp
> to trap all inbound requests and manually set the isSecure flag to true.
>
> This servlet filter approach partially fixed the problem. We are saying
> partially because there are two cookies created by
> the application in browser.
>
> Cookie 1: Its path is "<domain name>/" and the isSecure flag is "false"
> Cookie 2: Its path is "<domain name>/tools" and the isSecure flag is "true"
>
> So Cookie 2 is as expected, but Cookie 1 is not coming secured, to fix this
> we tried deploying the same servlet filter in the ROOT webapp of resin. But
> the problem persisted as before.
>
>
> Here is the servlet filter code.
>
> public class CookieFilter implements Filter {
>
>     public void doFilter(ServletRequest req, ServletResponse res,
>             FilterChain chain) throws ServletException, IOException {
>         // Secure if its a Http based request
>         if (req instanceof HttpServletRequest) {
>             HttpServletRequest httpReq = (HttpServletRequest) req;
>             HttpServletResponse httpRes = (HttpServletResponse) res;
>             Cookie[] cookies = httpReq.getCookies();
>             if (cookies != null && cookies.length > 0) {
>                 for (Cookie cookie : cookies) {
>                     // Make the cookie secure
>                     cookie.setSecure(true);
>                     // Add it to the response
>                     httpRes.addCookie(cookie);
>                 }
>             }
>         }
>         chain.doFilter(req, res);
>     }
>
>     public void init(FilterConfig arg0) throws ServletException {
>     }
>
>     public void destroy() {
>     }
>
> }
>
> Please suggest.
>
> Regards,
> Abhinav
>
> _______________________________________________
> resin-interest mailing list
> resin-interest@caucho.com
> http://maillist.caucho.com/mailman/listinfo/resin-interest
>
>


_______________________________________________
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest

Reply via email to