Community
Participate
Working Groups
Build Identifier: All Currently, the session cookie is set as secure (in AbstractSessionManager) if and only if, the session manager has been configured with setSecureCookies AND the request creating the cookie is on HTTPS. However, in most big corporates, the HTTPS is terminated on an F5 or similar and the request reverse proxied to the Jetty server over plain HTTP. If we want to have the cookie marked as secure such that the browser will only transmit the cookie on a secure connection, then we should be able to force Jetty to do so. Reproducible: Always
The session manager uses the Request.isSecure() method to decide if secure cookies should be used. So even if the SSL has been offloaded, then the terminator needs to communicate to the server which requests are secure and which are not. Typically this means that the customize method of the connector needs to be extended to understand how the terminator is communicating this (eg SSL Session ID as a header?) and the request.setScheme("https") called if the request is secure. The latest versions of jetty have support for the X-forwarded-Proto header, that is now frequently used by proxies: https://bugs.eclipse.org/bugs/show_bug.cgi?id=326612 Can you advise if using this is sufficient for your use-case?
Indeed, that will do nicely. (Perhaps update the Javadoc for AbstractSessionManager.setSecureCookies to make this functionality visible without browsing the source). Thanks. (In reply to comment #1) > The session manager uses the Request.isSecure() method to decide if secure > cookies should be used. > > So even if the SSL has been offloaded, then the terminator needs to communicate > to the server which requests are secure and which are not. > > Typically this means that the customize method of the connector needs to be > extended to understand how the terminator is communicating this (eg SSL Session > ID as a header?) and the request.setScheme("https") called if the request is > secure. > > The latest versions of jetty have support for the X-forwarded-Proto header, > that is now frequently used by proxies: > https://bugs.eclipse.org/bugs/show_bug.cgi?id=326612 > > Can you advise if using this is sufficient for your use-case?
On an F5 Big-IP, the header X-Forwarded-Proto will be defined through a type of iRule: when HTTP_REQUEST { When HTTP_Request { HTTP::header remove X-Forwarded-Proto HTTP:: header remove X-Forwarded-Proto HTTP::header insert X-Forwarded-Proto http HTTP:: header insert X-Forwarded-Proto http } } when HTTPS_REQUEST { When HTTPS_REQUEST { HTTP::header remove X-Forwarded-Proto HTTP:: header remove X-Forwarded-Proto HTTP::header insert X-Forwarded-Proto https HTTP:: header insert X-Forwarded-Proto https } } And then in the context XML, set secureCookies to true:- <Property name="Server" id="Server"> <Call id="SessionIdManager" name="getAttribute"> <Arg>SessionIdManager</Arg> </Call> </Property> <Set name="sessionHandler"> <New class="org.eclipse.jetty.server.session.SessionHandler"> <Arg> <New id="hashMgr" class="org.eclipse.jetty.server.session.HashSessionManager"> <Set name="idManager"> <Ref id="SessionIdManager"/> </Set> <Set name="secureCookies">true</Set> </New> </Arg> </New> </Set> (In reply to comment #2) > Indeed, that will do nicely. > > (Perhaps update the Javadoc for AbstractSessionManager.setSecureCookies to make > this functionality visible without browsing the source). > > Thanks. > > > (In reply to comment #1) > > The session manager uses the Request.isSecure() method to decide if secure > > cookies should be used. > > > > So even if the SSL has been offloaded, then the terminator needs to communicate > > to the server which requests are secure and which are not. > > > > Typically this means that the customize method of the connector needs to be > > extended to understand how the terminator is communicating this (eg SSL Session > > ID as a header?) and the request.setScheme("https") called if the request is > > secure. > > > > The latest versions of jetty have support for the X-forwarded-Proto header, > > that is now frequently used by proxies: > > https://bugs.eclipse.org/bugs/show_bug.cgi?id=326612 > > > > Can you advise if using this is sufficient for your use-case?
javadoc enhanced for next release: /* ------------------------------------------------------------ */ /** * Set if the session manager should use SecureCookies. * A secure cookie will only be sent by a browser on a secure (https) connection to * avoid the concern of cookies being intercepted on non secure channels. * For the cookie to be issued as secure, the {@link ServletRequest#isSecure()} method must return true. * If SSL offload is used, then the {@link AbstractConnector#customize(org.eclipse.jetty.io.EndPoint, Request) * method can be used to force the request to be https, or the {@link AbstractConnector#setForwarded(boolean)} * can be set to true, so that the X-Forwarded-Proto header is respected. * <p> * If secure session cookies are used, then a session may not be shared between http and https requests. * * @param secureCookies If true, use secure cookies. */
(In reply to comment #3) > And then in the context XML, set secureCookies to true:- > > <Property name="Server" id="Server"> > <Call id="SessionIdManager" name="getAttribute"> > <Arg>SessionIdManager</Arg> > </Call> > </Property> > > <Set name="sessionHandler"> > <New class="org.eclipse.jetty.server.session.SessionHandler"> > <Arg> > <New id="hashMgr" > class="org.eclipse.jetty.server.session.HashSessionManager"> > <Set name="idManager"> > <Ref id="SessionIdManager"/> > </Set> > <Set name="secureCookies">true</Set> > </New> > </Arg> > </New> > </Set> Sorry for jumping in on a closed bug. I cannot figure out where to set this configuration? Ideally I would like to set it someplace like jetty.xml. My webapp also has a simple context xml: <Configure class="org.eclipse.jetty.webapp.WebAppContext"> <Set name="contextPath">/app</Set> <Set name="war"><SystemProperty name="jetty.home" default="."/>/webapps/app.war</Set> <Set name="defaultsDescriptor"><SystemProperty name="jetty.home" default="."/>/etc/webdefault.xml</Set> </Configure> I can add it in this file if needed but I have not been able to figure out a syntax that works. I tried both inside and outside the <Configure> block.
I think I figured it out. This is what I put in my webapp's context xml: <Configure class="org.eclipse.jetty.webapp.WebAppContext"> <Set name="contextPath">/app</Set> <Set name="war"><SystemProperty name="jetty.home" default="."/>/webapps/app.war</Set> <Set name="defaultsDescriptor"><SystemProperty name="jetty.home" default="."/>/etc/webdefault.xml</Set> <Set name="sessionHandler"> <New class="org.eclipse.jetty.server.session.SessionHandler"> <Arg> <New id="hashMgr" class="org.eclipse.jetty.server.session.HashSessionManager"> <Set name="secureCookies">true</Set> <Set name="httpOnly">true</Set> </New> </Arg> </New> </Set> </Configure> Can someone just confirm this should have the desired effect? The app starts and I *think* I see it making the cookie secure. I have not been able to tell if the httpOnly setting worked.
Resolved -> Closed
