问题
I want to set 'secure' flag to JSESSIONID cookie . Is there a configuration in tomcat 6 for this ?
I tried by setting 'secure="true"' in 'Connector' (8080) element of server.xml , but it creates problems ....thats Connection is getting reset .
Note that in my application , the JSESSIONID is getting created in 'http' mode ( index page ) , when the user logins , it will switch into 'https' mode.
回答1:
If you are using tomcat 6 you can do the following workaround
String sessionid = request.getSession().getId();
response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; secure ; HttpOnly");
see https://www.owasp.org/index.php/HttpOnly for more information
回答2:
use the attribute useHttpOnly="true". In Tomcat9 the default value is true.
来源:https://stackoverflow.com/questions/7566264/set-secure-flag-to-jsession-id-cookie