users@glassfish.java.net

Re: Secure Cookies in Glassfish

From: Shing Wai Chan <shing.wai.chan_at_oracle.com>
Date: Tue, 25 Jun 2013 10:32:37 -0700

HttpOnly is true by default.
For secure, by default, secure=true if the initiated request is https,
and secure=false otherwise.
If you want to have secure=true all the time, then you need to specify
it in web.xml.
You can specify the behavior of each web application by putting the
following in the corresponding web.xml.
<session-config>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
</session-config>

       Shing Wai Chan

On 6/25/13 7:49 AM, Rowley, Scott M wrote:
>
> First time "poster" here so please forgive me if I inadvertently "do
> something wrong"...
>
> Version = GlassFish Server Open Source Edition 3.1.2 (build 23), JRE
> version 1.6.0_30
>
> I need to use the following information to secure all cookies in our
> glassfish instance.
>
> http://docs.oracle.com/cd/E18930_01/html/821-2417/beash.html
>
> In particular we want to use the httpOnly and Secure flags for all
> cookies. I need assistance in knowing the syntax needed and what file
> to place this information in.
>
> Thank you,
>
> Scott Rowley
>
> Sr Administrator, Systems
>
> GDIT_Logo
> Health and Civilian Solutions
>
> 1401 50^th St. Suite 200
>
> West Des Moines, IA 50266
>
> (515) 226-1894 direct
>
> scott.rowley_at_gdit.com
>
> www.gdit.com <http://www.gdit.com/>
>