Securing session cookies in Tomcat with httpOnly and secure=true
How to convert a non-secure cookie into a secure one
-
09-03-2022 - |
Question
I have the following scenario: If I access my web application using HTTPs tomcat creates a secure JSESSIONID cookie - which is normal, so nothing wrong so far.
If I access http then tomcat creates a non-secure JSESSIONID cookie, which is also normal.
My problem is that when I access my web application using HTTP the cookie is created and right after that Spring Security (security:intercept-url pattern="/login.action" requires-channel="https"/>) sends me to an HTTPs connection. The problem is that the cookie remains as non-secure.
Do you know of any way to fix that? Is there any way to re-create the cookie using Spring Security?
Any help will be greatly appreciated!
Regards, user1532449
Solution
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow