No this will not work, as its just creating a Session cookie for SSL by a new name. We need to secure all the cookies going over a SSL connection. Thanks, Abhinav
> Message: 1 > Date: Thu, 10 Sep 2009 20:02:12 +0300 > From: Kai Virkki <kai.vir...@gmail.com> > Subject: Re: [Resin-interest] Cookie security over SSL (https) > connections > To: General Discussion for the Resin application server > <resin-interest@caucho.com> > Message-ID: > <f895beb60909101002u2cdfae40qdf46b78e5e3f8...@mail.gmail.com> > Content-Type: text/plain; charset=ISO-8859-1 > > Hi! > > Have you tried using ssl-session-cookie configuration? > > Here's the documentation: > > http://caucho.com/resin-3.1/doc/cluster-tags.xtp#ssl-session-cookie > > > Cheers, > Kai > > > 2009/9/9 Abhinav Gupta <abhi...@appirio.com>: > > Hi All, > > > > > > This problem is regarding cookie security over SSL(https). We are running > a > > J2EE webapplication, our motive is to get the cookie's "isSecure" flag > set > > to true. We tried researching around the resin config settings for this > but > > no luck. Details of the approach we tried and the issue faced are > elaborated > > below. > > > > Enviornment Details > > ==================== > > 1. Resin 3.1.7 server running a webapplication called "tool" > > 2. Apache is in the front forwarding/redirecting all inbound traffic to > the > > resin server. > > 3. Apache is setup with trusted SSL certificates from godaddy. > > > > > > Problem Details > > ================ > > By default for all secure https requests, resin is sending cookies back > with > > "isSecure" flag as false. > > We tried looking for resin config settings to fix this, but can't find > any > > setting. So we created a Servlet filter in our webapp > > to trap all inbound requests and manually set the isSecure flag to true. > > > > This servlet filter approach partially fixed the problem. We are saying > > partially because there are two cookies created by > > the application in browser. > > > > Cookie 1: Its path is "<domain name>/" and the isSecure flag is "false" > > Cookie 2: Its path is "<domain name>/tools" and the isSecure flag is > "true" > > > > So Cookie 2 is as expected, but Cookie 1 is not coming secured, to fix > this > > we tried deploying the same servlet filter in the ROOT webapp of resin. > But > > the problem persisted as before. > > > > > > Here is the servlet filter code. > > > > public class CookieFilter implements Filter { > > > > ??? public void doFilter(ServletRequest req, ServletResponse res, > > ??? ??? ??? FilterChain chain) throws ServletException, IOException { > > ??? ??? // Secure if its a Http based request > > ??? ??? if (req instanceof HttpServletRequest) { > > ??? ??? ??? HttpServletRequest httpReq = (HttpServletRequest) req; > > ??? ??? ??? HttpServletResponse httpRes = (HttpServletResponse) res; > > ??? ??? ??? Cookie[] cookies = httpReq.getCookies(); > > ??? ??? ??? if (cookies != null && cookies.length > 0) { > > ??? ??? ??? ??? for (Cookie cookie : cookies) { > > ??? ??? ??? ??? ??? // Make the cookie secure > > ??? ??? ??? ??? ??? cookie.setSecure(true); > > ??? ??? ??? ??? ??? // Add it to the response > > ??? ??? ??? ??? ??? httpRes.addCookie(cookie); > > ??? ??? ??? ??? } > > ??? ??? ??? } > > ??? ??? } > > ??? ??? chain.doFilter(req, res); > > ??? } > > > > ??? public void init(FilterConfig arg0) throws ServletException { > > ??? } > > > > ??? public void destroy() { > > ??? } > > > > } > > > > Please suggest. > > > > Regards, > > Abhinav > > > > _______________________________________________ > > resin-interest mailing list > > resin-interest@caucho.com > > http://maillist.caucho.com/mailman/listinfo/resin-interest > > > > > > > > > ------------------------------ > > _______________________________________________ > resin-interest mailing list > resin-interest@caucho.com > http://maillist.caucho.com/mailman/listinfo/resin-interest > > > End of resin-interest Digest, Vol 39, Issue 6 > ********************************************* >
_______________________________________________ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest
