httponly cookie web 3.0 causing unexpected timeout

Question

Just recently, I migrated from web 2.4 to web 3.0. One of the requirements of this migration was that, I need to introduce the 'httponly' cookie in my application. So, I added the following sessionconfig element to my web.xml

<session-config>
<session-timeout>240</session-timeout>
<cookie-config>
        <http-only>true</http-only>
        <secure>true</secure>
</cookie-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>

Adding the above sessionconfig into my web.xml is causing an unexpected timeout. I am able to login into my application but after that when I click on anything else, I get kicked out with a message that says 'Session Expired'. Am I doing anything wrong? Any help would be much appreciated

Answer 1

<secure>true</secure> means that your browser will send the cookies back to the server only via HTTPS and not via HTTP, so if you are accessing the site via HTTP, then after login you will send no cookie.

Answer 2

I agree with Desislav Kamenov. I faced this problem over HTTP and when I removed true it worked. So the correct configuration for both HTTP and HTTPS are as follows:-

HTTP:-

<session-config>
<cookie-config>
    <http-only>true</http-only>
</cookie-config>
</session-config>

HTTPS:

<session-config>
<cookie-config>
    <http-only>true</http-only>
     <secure>true</secure>
</cookie-config>