You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@shiro.apache.org by A Harrison <an...@seekersolutions.com> on 2013/04/19 20:17:37 UTC

Secure attribute of session ID cookie?

In my shiro.ini I have set

securityManager.sessionManager.sessionIdCookie.secure = true

but when I inspect the cookie in Chrome, there is no checkmark under the
Secure column (it's present for HttpOnly, as expected given Shiro's default
for SimpleCookie). I am serving the web app over SSL with a self-signed
cert during development. Is the self-signing a problem? Is there a way to
programmatically check that the Secure attribute is being honored? Or am I
concerned over nothing?

Thanks,
Andrew

PS -- apologies if this message is duplicated; Nabble issues.




--
View this message in context: http://shiro-user.582556.n2.nabble.com/Secure-attribute-of-session-ID-cookie-tp7578632.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Secure attribute of session ID cookie?

Posted by A Harrison <an...@seekersolutions.com>.

Sorry, my mistake -- I had accidentally appended a comment to the end of the
line instead of placing it before the line, and mid-line comments aren't
usable in this context.



--
View this message in context: http://shiro-user.582556.n2.nabble.com/Secure-attribute-of-session-ID-cookie-tp7578632p7578635.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Secure attribute of session ID cookie?

Posted by Les Hazlewood <lh...@apache.org>.

Setting the cookie.secure attribute basically appends the 'Secure' flag
when the Set-Cookie: header is added (you can see an example of what this
might look like at runtime here:
http://en.wikipedia.org/wiki/HTTP_cookie#Domain_and_Path).  That's all
Shiro can do and any resulting behavior would be browser specific.

You can see that logic in the SimpleCookie implementation here:

https://github.com/apache/shiro/blob/trunk/web/src/main/java/org/apache/shiro/web/servlet/SimpleCookie.java#L222

Check the response headers - I don't see any reason why Shiro wouldn't
correctly set the flag in your case.  If it's not, please let us know.

HTH!

Cheers,

--
Les Hazlewood | @lhazlewood
CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282

On Fri, Apr 19, 2013 at 11:17 AM, A Harrison <
andrew.harrison@seekersolutions.com> wrote:

> In my shiro.ini I have set
>
> securityManager.sessionManager.sessionIdCookie.secure = true
>
> but when I inspect the cookie in Chrome, there is no checkmark under the
> Secure column (it's present for HttpOnly, as expected given Shiro's default
> for SimpleCookie). I am serving the web app over SSL with a self-signed
> cert during development. Is the self-signing a problem? Is there a way to
> programmatically check that the Secure attribute is being honored? Or am I
> concerned over nothing?
>
> Thanks,
> Andrew
>
> PS -- apologies if this message is duplicated; Nabble issues.
>
>
>
>
> --
> View this message in context:
> http://shiro-user.582556.n2.nabble.com/Secure-attribute-of-session-ID-cookie-tp7578632.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>