[WEB SECURITY] How to set secure flag for session cookie

sarvesh shete sarvesh.sse at gmail.com
Fri Jun 7 09:10:01 EDT 2013


While developing a java application I am stuck up with one issue. Was
wondering if anyone with java development and applications security
background here can help me out.
The web application is over https so I need to set secure flag for session
cookie. In my jsp java project i have implemented the
cookie.setSecure(true) thing right after the user authentication is
successful and session is created. I have also given cookie-secure flag as
true in weblogic.xml. It actually forces my web application to work only on
HTTPS, not on HTTP. but in proxy tool, the word 'secure' is not seen
anywhere in session id which is what our penetration testers are expecting.
Does anybody know to achieve this?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20130607/1a9aab3d/attachment-0003.html>

More information about the websecurity mailing list