Re: [jetty-users] Jetty 9.4.5 HttpOnly.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jetty-users] Jetty 9.4.5 HttpOnly.

From: "Hoffman, Richard D." <RDHoffman@xxxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Thu, 18 May 2017 12:49:11 +0000
Accept-language: en-US
Delivered-to: jetty-users@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/jetty-users>
List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>
Thread-index: AQHSz2JkHToqW5yjO0uK79zrFpXsGqH57ZmAgAAHvYCAABYcFA==
Thread-topic: [jetty-users] Jetty 9.4.5 HttpOnly.

No. How should I do that?

Richard Hoffman, PhD

Software Developer, Principal

U.S. Army Research Laboratory
Contractor, Secure Mission Solutions, a Parsons Company
Phone: 410-306-4906
richard.d.hoffman37.ctr@xxxxxxxx
rdhoffman@xxxxxxxxxxxxxxxxxxxxxxxxxx

From: jetty-users-bounces@xxxxxxxxxxx <jetty-users-bounces@xxxxxxxxxxx> on behalf of Jan Bartel <janb@xxxxxxxxxxx>
Sent: Thursday, May 18, 2017 3:29 AM
To: JETTY user mailing list
Subject: Re: [jetty-users] Jetty 9.4.5 HttpOnly.

Actually don't bother following my suggestion, I've checked the code and I can't reproduce the problem at all. Are you sure you've told your webapp to use $jetty.base/etc/webdefault.xml as its defaultsdescriptor?

Jan

On 18 May 2017 at 09:02, Jan Bartel <janb@xxxxxxxxxxx> wrote:

Have you tried specifying <name>JSESSIONID</name> or whatever the name of the cookie is that you want to use inside the <cookie-config>? Let me know if that works, I'll see if we're not defaulting it to JSESSIONID if not supplied.

Jan

On 18 May 2017 at 01:07, Lord Buddha <lord.buddha@xxxxxxxxx> wrote:

Is it/should it possible to use jetty.base/etc/webdefault.xml to default the setting of HttpOnly to true for the session cookie.

Have tried

<session-config>
    <session-timeout>30</session-timeout>
    <cookie-config>
      <http-only>true</http-only>
    </cookie-config>
</session-config>

and

<session-config>
    <session-timeout>30</session-timeout>
    <http-only>true</http-only>
</session-config>

or is there some other alternate besides doing in the apps web.xml ?

/David

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

--

Jan Bartel <janb@xxxxxxxxxxx>

www.webtide.com
Expert assistance from the creators of Jetty and CometD

Jan Bartel <janb@xxxxxxxxxxx>

www.webtide.com
Expert assistance from the creators of Jetty and CometD

Follow-Ups:
- Re: [jetty-users] Jetty 9.4.5 HttpOnly.
  - From: Jan Bartel

References:
- [jetty-users] Jetty 9.4.5 HttpOnly.
  - From: Lord Buddha
- Re: [jetty-users] Jetty 9.4.5 HttpOnly.
  - From: Jan Bartel
- Re: [jetty-users] Jetty 9.4.5 HttpOnly.
  - From: Jan Bartel

Prev by Date: Re: [jetty-users] Jetty 9.4.5 HttpOnly.
Next by Date: Re: [jetty-users] Old war file doesn't work with new jetty
Previous by thread: Re: [jetty-users] Jetty 9.4.5 HttpOnly.
Next by thread: Re: [jetty-users] Jetty 9.4.5 HttpOnly.
Index(es):
- Date
- Thread

Breadcrumbs