Making JSESSIONID cookie be httpOnly in Jetty 7
-
09-07-2021 - |
Pergunta
We're running grails 2.0 + jetty 7.6.6 and need to set JSESSIONID cookie to be httpOnly. All of the answers on stackoverflow seem to refer to either Servlet 3.0 (which requires jetty 8) or to tomcat. Can anyone provide me with a clear way of setting the JSESSIONID cookie be httpOnly for jetty 7.x?
I have tried adding jetty-web.xml file with the following contents, but it still didn't work (i.e. the JSESSIONID wasn't marked as httpOnly):
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure.dtd">
<Configure class="org.eclipse.jetty.webapp.WebAppContext">
<Get name="sessionHandler">
<Get name="sessionManager">
<Set name="httpOnly" type="boolean">true</Set>
</Get>
</Get>
</Configure>
Solução
All I had to do is to put the jetty-web.xml in the right folder. Initially I was putting into jetty/etc
folder, but instead it should have been in the WEB-INF
directory.
Licenciado em: CC-BY-SA com atribuição
Não afiliado a StackOverflow