开发者

Does the Jetty Maven Plugin 8.0.0.M3 support all of Servlet 3?

开发者 https://www.devze.com 2023-03-11 05:30 出处:网络
I have the following in my web.xml: <session-config> <cookie-config> <http-only>true</http-only>

I have the following in my web.xml:

<session-config>
  <cookie-config>
    <http-only>true</http-only>
    <secure>true</secure>
  </cookie-config>
  <session-timeout>15</session-timeout>
  <tracking-mode>COOKIE</tracking-mode>
</sess开发者_JAVA技巧ion-config>

However, according to OWASP's Zed Attack Proxy (https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project), cookies are still being set by Spring Security w/o the httpOnly or secure flags.

If I deploy the same app in Tomcat 7, it appears to honor these settings from web.xml.


Solution: Put the elements in the correct order:

<session-config>
    <session-timeout>15</session-timeout>
    <cookie-config>
        <http-only>true</http-only>
        <secure>true</secure>
    </cookie-config>
    <tracking-mode>COOKIE</tracking-mode>
</session-config>
0

精彩评论

暂无评论...
验证码 换一张
取 消

关注公众号