Setting the cookie.secure attribute basically appends the 'Secure' flag when the Set-Cookie: header is added (you can see an example of what this might look like at runtime here: http://en.wikipedia.org/wiki/HTTP_cookie#Domain_and_Path). That's all Shiro can do and any resulting behavior would be browser specific.
You can see that logic in the SimpleCookie implementation here: https://github.com/apache/shiro/blob/trunk/web/src/main/java/org/apache/shiro/web/servlet/SimpleCookie.java#L222 Check the response headers - I don't see any reason why Shiro wouldn't correctly set the flag in your case. If it's not, please let us know. HTH! Cheers, -- Les Hazlewood | @lhazlewood CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282 On Fri, Apr 19, 2013 at 11:17 AM, A Harrison < [email protected]> wrote: > In my shiro.ini I have set > > securityManager.sessionManager.sessionIdCookie.secure = true > > but when I inspect the cookie in Chrome, there is no checkmark under the > Secure column (it's present for HttpOnly, as expected given Shiro's default > for SimpleCookie). I am serving the web app over SSL with a self-signed > cert during development. Is the self-signing a problem? Is there a way to > programmatically check that the Secure attribute is being honored? Or am I > concerned over nothing? > > Thanks, > Andrew > > PS -- apologies if this message is duplicated; Nabble issues. > > > > > -- > View this message in context: > http://shiro-user.582556.n2.nabble.com/Secure-attribute-of-session-ID-cookie-tp7578632.html > Sent from the Shiro User mailing list archive at Nabble.com. >
