Secure Cookie Management

Owned by Benito Gonzalez
Dec 17, 2015
1 min read

To prevent cookies from being sent over a non-secure connection, the Secure cookie attribute will need to be set (RFC6265).

This is dependent on UP-4561.

This is NOT configured to true, by default, to allow demo and test functionality over port 8080 (non-secure).

Secure Cookies for uPortal

This feature is managed by the container (i.e. Tomcat) via configuration in web.xml.

web.xml snippet
<session-config>
    <cookie-config>
        <http-only>true</http-only>
        <secure>true</secure>
    </cookie-config>
</session-config>

 

This will be configurable in the environment properties files (i.e. filters/local.properties).

filters/local.properties
secureSessionCookie=false

Secure Cookies for Portlets

Portlet cookies require a different mechanism due to their dynamic nature. To enable secure cookies for portlets, the following needs to be added to portal.properties.

uportal-war/src/main/resources/properties/portal.properties
org.jasig.portal.portlet.container.services.PortletCookieServiceImpl.portalCookieAlwaysSecure=true