Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 361135

Summary: Cookie sent always as secure, when sessionManager.setSecureCookies(true)
Product: [RT] Jetty Reporter: bananista25
Component: serverAssignee: Jan Bartel <janb>
Status: RESOLVED FIXED QA Contact:
Severity: major    
Priority: P3 CC: bananista25, janb, jetty-inbox
Version: unspecified   
Target Milestone: 7.5.x   
Hardware: All   
OS: All   
Whiteboard:

Description bananista25 CLA 2011-10-17 09:38:57 EDT 
Build Identifier: 8.0.3

When you create embeded Jetty instance with session manager, that has secureCookies parameter set to true, your session cookies are sent as secure, even if you connect throught plain HTTP.

The problem is probably caused by a change in AbstractSessionManager, method getSessionCookie(HttpSession session, String contextPath, boolean requestIsSecure) - from version 8, the parameter "requestIsSecure" is not used in code anymore.

Formerly the command fro creating a cookie was:
new HttpCookie(..., requestIsSecure&&getSecureCookies()); 

Reproducible: Always

Steps to Reproduce:
1. Set sessionManager.setSecureCookies(true);
2. Try to login through plain HTTP.
3. The session cookie is sent with the "Secure" flag.
Comment 1 Greg Wilkins CLA 2011-10-18 21:23:07 EDT 
I've added back in the requestIsSecure check into jetty 8 trunk.  However I will leave this open until we create a unit test for this.
Comment 2 bananista25 CLA 2011-10-24 08:36:11 EDT 
Is this fix present in next version 8.0.4?
Comment 3 Jesse McConnell CLA 2011-11-02 15:43:56 EDT 
Yes, this fix should have made it into jetty 8.0.4

let us know if you still have issues with it
Comment 4 Jan Bartel CLA 2011-11-08 02:29:56 EST 
Actually, there is a clarification that we need to make regarding the semantics of Servlet Spec 3.0, which is implemented in jetty-8.

1. IF SessionCookieConfig.setSecure == true, then a SessionCookie will be marked as secure, regardless of whether the initiating request was HTTP or HTTPS.

2. IF SessionCookieConfig.setSecure == false, then a SessionCookie will be marked as secure only IFF the initiating request was over HTTPS.

Now, what jetty has historically allowed for is a 3rd case:

3. NEVER mark a SessionCookie as secure, on HTTPS or HTTP.

The previous fix did not bring back this 3rd case.

I have just checked in a change which should restore it. To activate it, use the new method: AbstractSessionManager.setSecureRequestOnly(false). The default value for _secureRequestOnly is true, giving case 2. above. So set to false to get case 3. 

Also added a unit test for this.

This fix will be present in 8.0.5.

Jan