You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by A Harrison <an...@seekersolutions.com> on 2013/04/19 20:17:37 UTC
Secure attribute of session ID cookie?
In my shiro.ini I have set
securityManager.sessionManager.sessionIdCookie.secure = true
but when I inspect the cookie in Chrome, there is no checkmark under the
Secure column (it's present for HttpOnly, as expected given Shiro's default
for SimpleCookie). I am serving the web app over SSL with a self-signed
cert during development. Is the self-signing a problem? Is there a way to
programmatically check that the Secure attribute is being honored? Or am I
concerned over nothing?
Thanks,
Andrew
PS -- apologies if this message is duplicated; Nabble issues.
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Secure-attribute-of-session-ID-cookie-tp7578632.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Secure attribute of session ID cookie?
Posted by A Harrison <an...@seekersolutions.com>.
Sorry, my mistake -- I had accidentally appended a comment to the end of the
line instead of placing it before the line, and mid-line comments aren't
usable in this context.
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Secure-attribute-of-session-ID-cookie-tp7578632p7578635.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Secure attribute of session ID cookie?
Posted by Les Hazlewood <lh...@apache.org>.
Setting the cookie.secure attribute basically appends the 'Secure' flag
when the Set-Cookie: header is added (you can see an example of what this
might look like at runtime here:
http://en.wikipedia.org/wiki/HTTP_cookie#Domain_and_Path). That's all
Shiro can do and any resulting behavior would be browser specific.
You can see that logic in the SimpleCookie implementation here:
https://github.com/apache/shiro/blob/trunk/web/src/main/java/org/apache/shiro/web/servlet/SimpleCookie.java#L222
Check the response headers - I don't see any reason why Shiro wouldn't
correctly set the flag in your case. If it's not, please let us know.
HTH!
Cheers,
--
Les Hazlewood | @lhazlewood
CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282
On Fri, Apr 19, 2013 at 11:17 AM, A Harrison <
andrew.harrison@seekersolutions.com> wrote:
> In my shiro.ini I have set
>
> securityManager.sessionManager.sessionIdCookie.secure = true
>
> but when I inspect the cookie in Chrome, there is no checkmark under the
> Secure column (it's present for HttpOnly, as expected given Shiro's default
> for SimpleCookie). I am serving the web app over SSL with a self-signed
> cert during development. Is the self-signing a problem? Is there a way to
> programmatically check that the Secure attribute is being honored? Or am I
> concerned over nothing?
>
> Thanks,
> Andrew
>
> PS -- apologies if this message is duplicated; Nabble issues.
>
>
>
>
> --
> View this message in context:
> http://shiro-user.582556.n2.nabble.com/Secure-attribute-of-session-ID-cookie-tp7578632.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>