You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Amit Khosla <am...@gmail.com> on 2021/01/01 14:52:42 UTC
Re: Not able to make JSESSIONID cookie secure
Thanks for reply!
We did changes in <CATALINA_HOME>/conf/web.xml.
But when the changes did not reflect, we made changes in specific app as
well. But we could not see the cookie as secure.
We verified by the response headers seen in chrome developer tool. The
cookie JSESSIONID does not have a secure flag.
By the way, Happy New Year!
On Thu, Dec 31, 2020 at 5:01 PM Darryl Lewis <da...@unsw.edu.au>
wrote:
>
> Did you make the changes to <CATALINA_HOME>/conf/web.xml ? It seems you
> may have made them just to that specific our_app application
>
> Are you sure you are testing it correctly?
> Can you try https://gf.dev/http-headers-test
>
>
> On 31/12/20, 8:29 pm, "Amit Khosla" <am...@gmail.com> wrote:
>
> Thanks for reply,
> we did restarted server while trying. The issue is still there even
> after
> restart.
>
> On Thu, Dec 31, 2020 at 11:14 AM Darryl Lewis <
> darryl.lewis@unsw.edu.au>
> wrote:
>
> > <session-config>
> > <cookie-config>
> > <http-only>true</http-only>
> > <secure>true</secure>
> > </cookie-config>
> > </session-config>
> >
> > Restart the server.
> >
> > On 31/12/20, 3:50 pm, "Amit Khosla" <am...@gmail.com>
> wrote:
> >
> > Hi Team,
> >
> >
> >
> > As we are looking forward for JSESSIONID to be secure.
> >
> >
> >
> > We made changes in web.xml in tomcat/conf
> >
> > <session-config>
> >
> > <cookie-config>
> >
> > <http-only>true</http-only>
> >
> > <secure>true</secure>
> >
> > </cookie-config>
> >
> > </session-config>
> >
> >
> >
> > But even after the changes, we are not able to get the JSESSIONID
> > cookie as
> > secure.
> >
> > We also tried changes in web.xml of our application, i.e,
> > tomcat/webapps/our_app/WEB-INF/web.xml; but still we are not
> getting it
> > secure.
> >
> >
> >
> > Tomcat version we are using is 8.5.53.
> >
> > We are getting same issue on windows as well as linux machine.
> >
> >
> >
> > Can you please guide us what can be done as this is required as
> per
> > security compliance?
> >
> >
> >
> > Thanks & Regards
> >
> > Amit
> >
> >
>
> --
> Thanks & Regards
> Amit Khosla
>
>
--
Thanks & Regards
Amit Khosla
Re: Not able to make JSESSIONID cookie secure
Posted by Martin Grigorov <mg...@apache.org>.
Hi Amit,
On Wed, Jan 6, 2021 at 11:15 AM Amit Khosla <am...@gmail.com>
wrote:
> Hi,
>
> Thanks for the reply.
>
> We tried the settings on multiple machines. And found that the same
> configuration machines gave different results.
> We are getting multiple jsessionid cookies being created. In our
> application, we have a multi tenant application.
> For each tenant we have an nginx running calling the application url.
> URL being hit on browser is like
> *<TENANAT>.myapp.com <http://myapp.com>*
> We are able to see 2 JSESSIONID cookies being generated for this call on
> some machines.
> 1. domain: /myapp which is having secure flag.
> 2. domain: /myapp/ which is NOT having secure flag.
>
> Strangely, in most machines, we are finding the second cookie being
> generated but the first cookie not generated.
> Only when we saw on one of the machines, the first cookie, we found that
> the secure jsessionid cookie being generated on that particular
> environment.
>
> The environment having 2 cookies and the one with one cookie are identical.
> Can you please help me fix the creation of the second cookie and also how
> to ensure that the first cookie is generated in all environments?
>
I think you issue is in Nginx config.
Please test first only with Tomcat and see whether it behaves propertly.
If it does then ask for more help at Nginx forums.
If it doesn't then please explain in more details how exactly you test it,
with configs, urls, etc.
>
>
> On Tue, Jan 5, 2021 at 1:24 AM Christopher Schultz <
> chris@christopherschultz.net> wrote:
>
> > Mark,
> >
> > On 1/4/21 03:17, Mark Thomas wrote:
> > > On 04/01/2021 06:02, Amit Khosla wrote:
> > >> Hi,
> > >>
> > >> We are still facing this issue. Can someone please help us?
> > >
> > > In a clean 8.5.x install, session cookies are only marked as secure if
> > > the request that triggered the session creation is made over a secure
> > > channel (typically HTTPS).
> > >
> > > If you amend the session configuration in $CATALINA_BASE/conf/web.xml
> > from:
> > >
> > > <session-config>
> > > <session-timeout>30</session-timeout>
> > > </session-config>
> > >
> > > to
> > >
> > > <session-config>
> > > <session-timeout>30</session-timeout>
> > > <cookie-config>
> > > <secure>true</secure>
> > > </cookie-config>
> > > </session-config>
> > >
> > > then session cookies will be generated with the secure flag whether or
> > > not the request that triggered the the session creation was made over a
> > > secure channel.
> > >
> > > Reviewing the thread:
> > >
> > > Are you sure you are amending the correct web.xml file? One way to
> check
> > > this is to make a deliberate error in the file and confirm that this
> > > error is reported when Tomcat starts.
> > >
> > > Note that you can only use <session-config> once in a web.xml file. If
> > > the web.xml file already contains a <session-config> element you must
> > > add to that existing element.
> > >
> > > Configuration in the application's web.xml file will override the
> global
> > > web.xml file. Make sure that the application's web.xml either does not
> > > specify a value for secure or specifies true.
> > >
> > > If you still have issues:
> > > - start with a clean Tomcat 8.5.x install
> > > - confirm that
> > > http://localhost:8080/examples/servlets/servlet/SessionExample
> > > generates a set-cookie header without the secure attribute
> > > - stop Tomcat
> > > - close the browser
> > > - amend conf/web.xml as above
> > > - start Tomcat
> > > - confirm that
> > > http://localhost:8080/examples/servlets/servlet/SessionExample
> > > generates a set-cookie header with the secure attribute
> > > - retest with your application
> > >
> > > You must close the browser between each request you expect to generate
> a
> > > session cookie to prevent any existing session from being used.
> >
> > You may be able to avoid this with either of:
> >
> > 1. "Private" browsing mode: use a new "private" tab/window each time
> >
> > 2. Under developer tools / Storage (you may have to poke around for
> > this), you should be able to see the cookies for the host and, if
> > appropriate, delete them.
> >
> > > If this test fails then you'll need to check the application source
> > > code. It is possible that the application is overriding your attempts
> to
> > > make the session cookie secure.
> >
> > +1
> >
> > Other possibilities include a reverse proxy where the client is using
> > HTTPS to communicate with the proxy, but HTTPS is not being used between
> > the proxy and the Tomcat server.
> >
> > -chris
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
>
> --
> Thanks & Regards
> Amit Khosla
>
Re: Not able to make JSESSIONID cookie secure
Posted by Amit Khosla <am...@gmail.com>.
Hi,
Thanks for the reply.
We tried the settings on multiple machines. And found that the same
configuration machines gave different results.
We are getting multiple jsessionid cookies being created. In our
application, we have a multi tenant application.
For each tenant we have an nginx running calling the application url.
URL being hit on browser is like
*<TENANAT>.myapp.com <http://myapp.com>*
We are able to see 2 JSESSIONID cookies being generated for this call on
some machines.
1. domain: /myapp which is having secure flag.
2. domain: /myapp/ which is NOT having secure flag.
Strangely, in most machines, we are finding the second cookie being
generated but the first cookie not generated.
Only when we saw on one of the machines, the first cookie, we found that
the secure jsessionid cookie being generated on that particular environment.
The environment having 2 cookies and the one with one cookie are identical.
Can you please help me fix the creation of the second cookie and also how
to ensure that the first cookie is generated in all environments?
On Tue, Jan 5, 2021 at 1:24 AM Christopher Schultz <
chris@christopherschultz.net> wrote:
> Mark,
>
> On 1/4/21 03:17, Mark Thomas wrote:
> > On 04/01/2021 06:02, Amit Khosla wrote:
> >> Hi,
> >>
> >> We are still facing this issue. Can someone please help us?
> >
> > In a clean 8.5.x install, session cookies are only marked as secure if
> > the request that triggered the session creation is made over a secure
> > channel (typically HTTPS).
> >
> > If you amend the session configuration in $CATALINA_BASE/conf/web.xml
> from:
> >
> > <session-config>
> > <session-timeout>30</session-timeout>
> > </session-config>
> >
> > to
> >
> > <session-config>
> > <session-timeout>30</session-timeout>
> > <cookie-config>
> > <secure>true</secure>
> > </cookie-config>
> > </session-config>
> >
> > then session cookies will be generated with the secure flag whether or
> > not the request that triggered the the session creation was made over a
> > secure channel.
> >
> > Reviewing the thread:
> >
> > Are you sure you are amending the correct web.xml file? One way to check
> > this is to make a deliberate error in the file and confirm that this
> > error is reported when Tomcat starts.
> >
> > Note that you can only use <session-config> once in a web.xml file. If
> > the web.xml file already contains a <session-config> element you must
> > add to that existing element.
> >
> > Configuration in the application's web.xml file will override the global
> > web.xml file. Make sure that the application's web.xml either does not
> > specify a value for secure or specifies true.
> >
> > If you still have issues:
> > - start with a clean Tomcat 8.5.x install
> > - confirm that
> > http://localhost:8080/examples/servlets/servlet/SessionExample
> > generates a set-cookie header without the secure attribute
> > - stop Tomcat
> > - close the browser
> > - amend conf/web.xml as above
> > - start Tomcat
> > - confirm that
> > http://localhost:8080/examples/servlets/servlet/SessionExample
> > generates a set-cookie header with the secure attribute
> > - retest with your application
> >
> > You must close the browser between each request you expect to generate a
> > session cookie to prevent any existing session from being used.
>
> You may be able to avoid this with either of:
>
> 1. "Private" browsing mode: use a new "private" tab/window each time
>
> 2. Under developer tools / Storage (you may have to poke around for
> this), you should be able to see the cookies for the host and, if
> appropriate, delete them.
>
> > If this test fails then you'll need to check the application source
> > code. It is possible that the application is overriding your attempts to
> > make the session cookie secure.
>
> +1
>
> Other possibilities include a reverse proxy where the client is using
> HTTPS to communicate with the proxy, but HTTPS is not being used between
> the proxy and the Tomcat server.
>
> -chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
--
Thanks & Regards
Amit Khosla
Re: Not able to make JSESSIONID cookie secure
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Mark,
On 1/4/21 03:17, Mark Thomas wrote:
> On 04/01/2021 06:02, Amit Khosla wrote:
>> Hi,
>>
>> We are still facing this issue. Can someone please help us?
>
> In a clean 8.5.x install, session cookies are only marked as secure if
> the request that triggered the session creation is made over a secure
> channel (typically HTTPS).
>
> If you amend the session configuration in $CATALINA_BASE/conf/web.xml from:
>
> <session-config>
> <session-timeout>30</session-timeout>
> </session-config>
>
> to
>
> <session-config>
> <session-timeout>30</session-timeout>
> <cookie-config>
> <secure>true</secure>
> </cookie-config>
> </session-config>
>
> then session cookies will be generated with the secure flag whether or
> not the request that triggered the the session creation was made over a
> secure channel.
>
> Reviewing the thread:
>
> Are you sure you are amending the correct web.xml file? One way to check
> this is to make a deliberate error in the file and confirm that this
> error is reported when Tomcat starts.
>
> Note that you can only use <session-config> once in a web.xml file. If
> the web.xml file already contains a <session-config> element you must
> add to that existing element.
>
> Configuration in the application's web.xml file will override the global
> web.xml file. Make sure that the application's web.xml either does not
> specify a value for secure or specifies true.
>
> If you still have issues:
> - start with a clean Tomcat 8.5.x install
> - confirm that
> http://localhost:8080/examples/servlets/servlet/SessionExample
> generates a set-cookie header without the secure attribute
> - stop Tomcat
> - close the browser
> - amend conf/web.xml as above
> - start Tomcat
> - confirm that
> http://localhost:8080/examples/servlets/servlet/SessionExample
> generates a set-cookie header with the secure attribute
> - retest with your application
>
> You must close the browser between each request you expect to generate a
> session cookie to prevent any existing session from being used.
You may be able to avoid this with either of:
1. "Private" browsing mode: use a new "private" tab/window each time
2. Under developer tools / Storage (you may have to poke around for
this), you should be able to see the cookies for the host and, if
appropriate, delete them.
> If this test fails then you'll need to check the application source
> code. It is possible that the application is overriding your attempts to
> make the session cookie secure.
+1
Other possibilities include a reverse proxy where the client is using
HTTPS to communicate with the proxy, but HTTPS is not being used between
the proxy and the Tomcat server.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Not able to make JSESSIONID cookie secure
Posted by Mark Thomas <ma...@apache.org>.
On 04/01/2021 06:02, Amit Khosla wrote:
> Hi,
>
> We are still facing this issue. Can someone please help us?
In a clean 8.5.x install, session cookies are only marked as secure if
the request that triggered the session creation is made over a secure
channel (typically HTTPS).
If you amend the session configuration in $CATALINA_BASE/conf/web.xml from:
<session-config>
<session-timeout>30</session-timeout>
</session-config>
to
<session-config>
<session-timeout>30</session-timeout>
<cookie-config>
<secure>true</secure>
</cookie-config>
</session-config>
then session cookies will be generated with the secure flag whether or
not the request that triggered the the session creation was made over a
secure channel.
Reviewing the thread:
Are you sure you are amending the correct web.xml file? One way to check
this is to make a deliberate error in the file and confirm that this
error is reported when Tomcat starts.
Note that you can only use <session-config> once in a web.xml file. If
the web.xml file already contains a <session-config> element you must
add to that existing element.
Configuration in the application's web.xml file will override the global
web.xml file. Make sure that the application's web.xml either does not
specify a value for secure or specifies true.
If you still have issues:
- start with a clean Tomcat 8.5.x install
- confirm that
http://localhost:8080/examples/servlets/servlet/SessionExample
generates a set-cookie header without the secure attribute
- stop Tomcat
- close the browser
- amend conf/web.xml as above
- start Tomcat
- confirm that
http://localhost:8080/examples/servlets/servlet/SessionExample
generates a set-cookie header with the secure attribute
- retest with your application
You must close the browser between each request you expect to generate a
session cookie to prevent any existing session from being used.
If this test fails then you'll need to check the application source
code. It is possible that the application is overriding your attempts to
make the session cookie secure.
Mark
>
> Thanks & Regards
> Amit
>
> On Fri, Jan 1, 2021 at 8:22 PM Amit Khosla <am...@gmail.com>
> wrote:
>
>> Thanks for reply!
>>
>> We did changes in <CATALINA_HOME>/conf/web.xml.
>> But when the changes did not reflect, we made changes in specific app as
>> well. But we could not see the cookie as secure.
>>
>> We verified by the response headers seen in chrome developer tool. The
>> cookie JSESSIONID does not have a secure flag.
>>
>> By the way, Happy New Year!
>>
>> On Thu, Dec 31, 2020 at 5:01 PM Darryl Lewis <da...@unsw.edu.au>
>> wrote:
>>
>>>
>>> Did you make the changes to <CATALINA_HOME>/conf/web.xml ? It seems you
>>> may have made them just to that specific our_app application
>>>
>>> Are you sure you are testing it correctly?
>>> Can you try https://gf.dev/http-headers-test
>>>
>>>
>>> On 31/12/20, 8:29 pm, "Amit Khosla" <am...@gmail.com> wrote:
>>>
>>> Thanks for reply,
>>> we did restarted server while trying. The issue is still there even
>>> after
>>> restart.
>>>
>>> On Thu, Dec 31, 2020 at 11:14 AM Darryl Lewis <
>>> darryl.lewis@unsw.edu.au>
>>> wrote:
>>>
>>> > <session-config>
>>> > <cookie-config>
>>> > <http-only>true</http-only>
>>> > <secure>true</secure>
>>> > </cookie-config>
>>> > </session-config>
>>> >
>>> > Restart the server.
>>> >
>>> > On 31/12/20, 3:50 pm, "Amit Khosla" <am...@gmail.com>
>>> wrote:
>>> >
>>> > Hi Team,
>>> >
>>> >
>>> >
>>> > As we are looking forward for JSESSIONID to be secure.
>>> >
>>> >
>>> >
>>> > We made changes in web.xml in tomcat/conf
>>> >
>>> > <session-config>
>>> >
>>> > <cookie-config>
>>> >
>>> > <http-only>true</http-only>
>>> >
>>> > <secure>true</secure>
>>> >
>>> > </cookie-config>
>>> >
>>> > </session-config>
>>> >
>>> >
>>> >
>>> > But even after the changes, we are not able to get the
>>> JSESSIONID
>>> > cookie as
>>> > secure.
>>> >
>>> > We also tried changes in web.xml of our application, i.e,
>>> > tomcat/webapps/our_app/WEB-INF/web.xml; but still we are not
>>> getting it
>>> > secure.
>>> >
>>> >
>>> >
>>> > Tomcat version we are using is 8.5.53.
>>> >
>>> > We are getting same issue on windows as well as linux machine.
>>> >
>>> >
>>> >
>>> > Can you please guide us what can be done as this is required as
>>> per
>>> > security compliance?
>>> >
>>> >
>>> >
>>> > Thanks & Regards
>>> >
>>> > Amit
>>> >
>>> >
>>>
>>> --
>>> Thanks & Regards
>>> Amit Khosla
>>>
>>>
>>
>> --
>> Thanks & Regards
>> Amit Khosla
>>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Not able to make JSESSIONID cookie secure
Posted by Amit Khosla <am...@gmail.com>.
Hi,
We are still facing this issue. Can someone please help us?
Thanks & Regards
Amit
On Fri, Jan 1, 2021 at 8:22 PM Amit Khosla <am...@gmail.com>
wrote:
> Thanks for reply!
>
> We did changes in <CATALINA_HOME>/conf/web.xml.
> But when the changes did not reflect, we made changes in specific app as
> well. But we could not see the cookie as secure.
>
> We verified by the response headers seen in chrome developer tool. The
> cookie JSESSIONID does not have a secure flag.
>
> By the way, Happy New Year!
>
> On Thu, Dec 31, 2020 at 5:01 PM Darryl Lewis <da...@unsw.edu.au>
> wrote:
>
>>
>> Did you make the changes to <CATALINA_HOME>/conf/web.xml ? It seems you
>> may have made them just to that specific our_app application
>>
>> Are you sure you are testing it correctly?
>> Can you try https://gf.dev/http-headers-test
>>
>>
>> On 31/12/20, 8:29 pm, "Amit Khosla" <am...@gmail.com> wrote:
>>
>> Thanks for reply,
>> we did restarted server while trying. The issue is still there even
>> after
>> restart.
>>
>> On Thu, Dec 31, 2020 at 11:14 AM Darryl Lewis <
>> darryl.lewis@unsw.edu.au>
>> wrote:
>>
>> > <session-config>
>> > <cookie-config>
>> > <http-only>true</http-only>
>> > <secure>true</secure>
>> > </cookie-config>
>> > </session-config>
>> >
>> > Restart the server.
>> >
>> > On 31/12/20, 3:50 pm, "Amit Khosla" <am...@gmail.com>
>> wrote:
>> >
>> > Hi Team,
>> >
>> >
>> >
>> > As we are looking forward for JSESSIONID to be secure.
>> >
>> >
>> >
>> > We made changes in web.xml in tomcat/conf
>> >
>> > <session-config>
>> >
>> > <cookie-config>
>> >
>> > <http-only>true</http-only>
>> >
>> > <secure>true</secure>
>> >
>> > </cookie-config>
>> >
>> > </session-config>
>> >
>> >
>> >
>> > But even after the changes, we are not able to get the
>> JSESSIONID
>> > cookie as
>> > secure.
>> >
>> > We also tried changes in web.xml of our application, i.e,
>> > tomcat/webapps/our_app/WEB-INF/web.xml; but still we are not
>> getting it
>> > secure.
>> >
>> >
>> >
>> > Tomcat version we are using is 8.5.53.
>> >
>> > We are getting same issue on windows as well as linux machine.
>> >
>> >
>> >
>> > Can you please guide us what can be done as this is required as
>> per
>> > security compliance?
>> >
>> >
>> >
>> > Thanks & Regards
>> >
>> > Amit
>> >
>> >
>>
>> --
>> Thanks & Regards
>> Amit Khosla
>>
>>
>
> --
> Thanks & Regards
> Amit Khosla
>
--
Thanks & Regards
Amit Khosla
Ph: 9911797132