Also, take a look at this: https://shiro.apache.org/web.html#Web-SessionCookieConfiguration
and set 'secure' = true On Fri, Apr 25, 2014 at 3:22 PM, [email protected] <[email protected]>wrote: > Ah, to answer my own question, it seems I can just extend > DefaultWebSessionManager (which I already did for my project) and set the > attribute on the cookie in the constructor. Basically, I have: > > > That was easy! > > I can see not wanting to set this by default, but it might make sense for > Shiro to have a SecureWebSessionManager class that did this. > > > > > -- > View this message in context: > http://shiro-user.582556.n2.nabble.com/JSESSIONID-not-Secure-tp7579894p7579895.html > Sent from the Shiro User mailing list archive at Nabble.com. >
