Re: AW: JSessionId secure attribute not set if RemoteIpFilter with X-Forwarded-Proto https is used

[Ivano Luberti]

Hi Reto, fortunately I use RemoteIpValve but I would like to know, if 
you have time, what advantages there would be using RemoteIpFilter.


TIA


Il 09/02/2023 08:50, Reto Weiss ha scritto:

Hi Mark

Reported ashttps://bz.apache.org/bugzilla/show_bug.cgi?id=66471

Regards

Reto

-
To unsubscribe, e-mail:users-unsubscr...@tomcat.apache.org
For additional commands, e-mail:users-h...@tomcat.apache.org


--

Archimede Informatica tratta i dati personali in conformità a quanto
stabilito dal Regolamento UE n. 2016/679 (GDPR) e dal D. Lgs. 30 giugno 
2003 n. 196

per come modificato dal D.Lgs. 10 agosto 2018 n. 101.
Informativa completa 



dott. Ivano Mario Luberti

Archimede Informatica società cooperativa a r. l.
Via Gereschi 36, 56127 Pisa

tel.: +39 050/580959 | fax: +39 050/8932061

web: www.archicoop.it
linkedin: www.linkedin.com/in/ivanoluberti
facebook: www.facebook.com/archimedeinformaticapisa/

AW: JSessionId secure attribute not set if RemoteIpFilter with X-Forwarded-Proto https is used

[Reto Weiss]

Hi Mark

Reported as https://bz.apache.org/bugzilla/show_bug.cgi?id=66471

Regards

Reto

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: JSessionId secure attribute not set if RemoteIpFilter with X-Forwarded-Proto https is used

[Mark Thomas]

On 08/02/2023 12:26, Reto Weiss wrote:

Hi There

I use Tomcat 9.0.68 and the 
org.apache.catalina.filters.RemoteIpFilter**Filter behind a NGINX 
reverse proxy. On the NGINX I set the http header X-Forwarded-Proto to 
https.


If I now make a request with a Browser to the reverse proxy the 
JSESSIONID cookie I get back is missing the secure attribute.


I have debugged the RemoteIpFilter the isSecure flag of the wrapper 
request it creates is correctly set to true. Unfortunately, the method 
getSession() or getSession(Boolean) is forwarded to the wrapped original 
request were the isSecure Flag is still not set. Therefore, the 
JSESSIONID cookie is missing the secure flag. See 
org.apache.catalina.connector.Request method doGetSession and 
org.apache.catalina.core.ApplicationSessionCookieConfig method 
createSessionCookie.


This seems to be a bug.

As workaround org.apache.catalina.valves.RemoteIpValve can be used, 
which seems to handle this correct. Also, the secure flag can be 
enforced by setting it in the web.xml.


However, I would like to use RemoteIpFilter because it has some 
advantages over the RemoteIpValve or statically setting it in the web.xml.


Should I file an issue for this?


Yes please. Thanks for reporting this.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

JSessionId secure attribute not set if RemoteIpFilter with X-Forwarded-Proto https is used

[Reto Weiss]

Hi There

I use Tomcat 9.0.68 and the org.apache.catalina.filters.RemoteIpFilter Filter 
behind a NGINX reverse proxy. On the NGINX I set the http header 
X-Forwarded-Proto to https.
If I now make a request with a Browser to the reverse proxy the JSESSIONID 
cookie I get back is missing the secure attribute.
I have debugged the RemoteIpFilter the isSecure flag of the wrapper request it 
creates is correctly set to true. Unfortunately, the method getSession() or 
getSession(Boolean) is forwarded to the wrapped original request were the 
isSecure Flag is still not set. Therefore, the JSESSIONID cookie is missing the 
secure flag. See org.apache.catalina.connector.Request method doGetSession and 
org.apache.catalina.core.ApplicationSessionCookieConfig method 
createSessionCookie.

This seems to be a bug.

As workaround org.apache.catalina.valves.RemoteIpValve can be used, which seems 
to handle this correct. Also, the secure flag can be enforced by setting it in 
the web.xml.

However, I would like to use RemoteIpFilter because it has some advantages over 
the RemoteIpValve or statically setting it in the web.xml.

Should I file an issue for this?

Regards

Reto Weiss
El. Ing. HTL
Product Owner / Core Developer
Axon Ivy AG


+41 41 249 25 70
reto.we...@axonivy.com
www.axonivy.com
Baarerstrasse 12 ∙ CH-6300 Zug


[Ein Bild, das Text enthalt.  Automatisch generierte Beschreibung]
LinkedIn ∙ 
Facebook ∙ 
Xing ∙ 
Twitter ∙ 
YouTube