Did you make the changes to <CATALINA_HOME>/conf/web.xml ? It seems you may have made them just to that specific our_app application
Are you sure you are testing it correctly? Can you try https://gf.dev/http-headers-test On 31/12/20, 8:29 pm, "Amit Khosla" <amitkhosla.j...@gmail.com> wrote: Thanks for reply, we did restarted server while trying. The issue is still there even after restart. On Thu, Dec 31, 2020 at 11:14 AM Darryl Lewis <darryl.le...@unsw.edu.au> wrote: > <session-config> > <cookie-config> > <http-only>true</http-only> > <secure>true</secure> > </cookie-config> > </session-config> > > Restart the server. > > On 31/12/20, 3:50 pm, "Amit Khosla" <amitkhosla.j...@gmail.com> wrote: > > Hi Team, > > > > As we are looking forward for JSESSIONID to be secure. > > > > We made changes in web.xml in tomcat/conf > > <session-config> > > <cookie-config> > > <http-only>true</http-only> > > <secure>true</secure> > > </cookie-config> > > </session-config> > > > > But even after the changes, we are not able to get the JSESSIONID > cookie as > secure. > > We also tried changes in web.xml of our application, i.e, > tomcat/webapps/our_app/WEB-INF/web.xml; but still we are not getting it > secure. > > > > Tomcat version we are using is 8.5.53. > > We are getting same issue on windows as well as linux machine. > > > > Can you please guide us what can be done as this is required as per > security compliance? > > > > Thanks & Regards > > Amit > > -- Thanks & Regards Amit Khosla
