To prevent cookies from being sent over a non-secure connection, the Secure cookie attribute will need to be set (RFC6265).
Warning |
---|
This is dependent on UP-4561. |
Note |
---|
This is NOT configured to true, by default, to allow demo and test functionality over port 8080 (non-secure). |
...
Code Block | ||||
---|---|---|---|---|
| ||||
<session-config> <cookie-config> <http-only>true</http-only> <secure>true</secure> </cookie-config> </session-config> |
This will be configurable in the environment properties files (i.e. filters/local.properties).
Code Block | ||||
---|---|---|---|---|
| ||||
secureSessionCookie=false |
Secure Cookies for Portlets
Portlet cookies require a different mechanism due to their dynamic nature. To enable secure cookies for portlets, the following needs to be added to portal.properties.
Code Block | ||||
---|---|---|---|---|
| ||||
org.jasig.portal.portlet.container.services.PortletCookieServiceImpl.portalCookieAlwaysSecure=true |
...