Hi There
I use Tomcat 9.0.68 and the org.apache.catalina.filters.RemoteIpFilter Filter
behind a NGINX reverse proxy. On the NGINX I set the http header
X-Forwarded-Proto to https.
If I now make a request with a Browser to the reverse proxy the JSESSIONID
cookie I get back is missing the secure attribute.
I have debugged the RemoteIpFilter the isSecure flag of the wrapper request it
creates is correctly set to true. Unfortunately, the method getSession() or
getSession(Boolean) is forwarded to the wrapped original request were the
isSecure Flag is still not set. Therefore, the JSESSIONID cookie is missing the
secure flag. See org.apache.catalina.connector.Request method doGetSession and
org.apache.catalina.core.ApplicationSessionCookieConfig method
createSessionCookie.
This seems to be a bug.
As workaround org.apache.catalina.valves.RemoteIpValve can be used, which seems
to handle this correct. Also, the secure flag can be enforced by setting it in
the web.xml.
However, I would like to use RemoteIpFilter because it has some advantages over
the RemoteIpValve or statically setting it in the web.xml.
Should I file an issue for this?
Regards
Reto Weiss
El. Ing. HTL
Product Owner / Core Developer
Axon Ivy AG
+41 41 249 25 70
reto.we...@axonivy.com<mailto:reto.we...@axonivy.com>
www.axonivy.com<https://www.axonivy.com/>
Baarerstrasse 12 ∙ CH-6300 Zug
[Ein Bild, das Text enthalt. Automatisch generierte Beschreibung]
LinkedIn<https://www.linkedin.com/company/axonivy> ∙
Facebook<https://www.facebook.com/axonivy> ∙
Xing<https://www.xing.com/pages/axonivyag> ∙
Twitter<https://twitter.com/axonivy> ∙
YouTube<https://www.youtube.com/channel/UCkoNcDoeDAVM7FB-txy3jnQ>