My Apache Tomcat is running behind an Apache httpd web server connected via mod_jk.
When a browser requests https page (rather than http) as its first session request, Tomcat sends a session cookie with secure flag which makes user's logged in session unavailable for http pages later.
How can I remove session cookies' secure flag using mod_header?
I already tried to add an option into web.xml like below.
<session-config>
<cookie-config>
<secure>false</secure>
</cookie-config>
</session-config>
However, it doesn't work. I guess this option doesn't make servlet request not secure, and Tomcat will put the secure flag on session cookies unless both context's session config and servlet request are not secure.
Here is my own solution added to httpd-vhost.conf for now:
Header edit* Set-Cookie "(JSESSIONID=.*)(; Secure)" "$1"
Related
In traefik 2.6 it is possible to choose which HTTP headers are logged. Is it also possible to log a specific cookie value as with Apache and NGINX?
we have to set cookie-secure directly in weblogic server instead of giving weblogic.xml
<session-descriptor>
<cookie-http-only>true</cookie-http-only>
<cookie-secure>true</cookie-secure>
It sounds like you are trying to have http-only cookies as a default. This is not possible in WebLogic. You could try to add a custom filter class, but you would have to insert this into every web.xml which is just as much of a hassle.
The better option would be to configure this in a web server or layer 7 load balancer that proxies traffic to WebLogic. For a crude example, insert the following in an Apache virtual host config to add the HttpOnly and Secure flags to every set cookie.
Header edit Set-Cookie (.*) "$1; HttpOnly; Secure"
I am not quite clear about the idea whether the Kestrel server needs to be encrypted as a localhost server.
I use Apache with HTTPS as the proxy server for Kestrel server. Does it require to run https in Kestrel as well? In theory, what passes through the Apache proxy server (HTTPS enabled) should be encrypted, right?
Please shed some light if you have any ideas.
No, you don't have to encrypt the traffic between Apache and Kestrel. The apache (or nginx or IIS) will be the SSL termination point.
However what you need to make sure is
that Apache correctly sets the forwarded headers (x-forwarded-* headers)
kestrel is correctly configured to use these headers (UseIISIntegration already does that) or register the app.UseForwardedHeaders(); middleware which also registers them
Without either one, your requests will fail if the controllers/actions are marked with [RequireHttps] attribute
I'm using one Apache HTTPD and multiple Tomcats as the load balancing solution. The session sticky is based on JSESSIONID cookie. I have two questions that really need your help.
1) Tomcat version is 7, cookies can be shared with subdomains. The domain looks like this:
en.mydomain.com
es.mydomain.com
it.mydomain.com
Configured in context.xml
<Context sessionCookieDomain=".mydomain.com" sessionCookiePath="/">
Meanwhile, we have staging environment that has sub-sub domains, and cookies can also be shared across the domains below:
en.alpha.mydomain.com
es.alpha.mydomain.com
it.alpha.mydomain.com
Configured in context.xml:
<Context sessionCookieDomain=".alpha.mydomain.com" sessionCookiePath="/">
But sometimes, JSESSIONID cookie can be shared between en.mydomain.com and en.alpha.mydomain.com, which is not expected.
How to resolve this issue? Cookies should not be shared in the different level subdomains.
2) I tried to refresh JSESSIONID cookie for above question, but failed. In Tomcat JSP:
session.invalidate();
session = request.getSession(true);
out.print(session.getId());
JSESSIONID cookie is refreshed when directly accessing this Tomcat JSP, but kept the same when accessing its proxy Apache. Should I modify the mod_proxy etc. to support the JSESSIONID cookie refresh by accessing the Apache URL?
How apache or mod_jk validate a session is created or not ? and session is valid or not ? and Session id is valid or not ? How apache handles sessions ?
Apache doesn't interfere (or do any "validation") with the JSESSIONID cookie at all. It simply propagates everything from the client to tomcat, and from tomcat back to the client.