Community
Participate
Working Groups
Build Identifier: 8.0.3 When you create embeded Jetty instance with session manager, that has secureCookies parameter set to true, your session cookies are sent as secure, even if you connect throught plain HTTP. The problem is probably caused by a change in AbstractSessionManager, method getSessionCookie(HttpSession session, String contextPath, boolean requestIsSecure) - from version 8, the parameter "requestIsSecure" is not used in code anymore. Formerly the command fro creating a cookie was: new HttpCookie(..., requestIsSecure&&getSecureCookies()); Reproducible: Always Steps to Reproduce: 1. Set sessionManager.setSecureCookies(true); 2. Try to login through plain HTTP. 3. The session cookie is sent with the "Secure" flag.
I've added back in the requestIsSecure check into jetty 8 trunk. However I will leave this open until we create a unit test for this.
Is this fix present in next version 8.0.4?
Yes, this fix should have made it into jetty 8.0.4 let us know if you still have issues with it
Actually, there is a clarification that we need to make regarding the semantics of Servlet Spec 3.0, which is implemented in jetty-8. 1. IF SessionCookieConfig.setSecure == true, then a SessionCookie will be marked as secure, regardless of whether the initiating request was HTTP or HTTPS. 2. IF SessionCookieConfig.setSecure == false, then a SessionCookie will be marked as secure only IFF the initiating request was over HTTPS. Now, what jetty has historically allowed for is a 3rd case: 3. NEVER mark a SessionCookie as secure, on HTTPS or HTTP. The previous fix did not bring back this 3rd case. I have just checked in a change which should restore it. To activate it, use the new method: AbstractSessionManager.setSecureRequestOnly(false). The default value for _secureRequestOnly is true, giving case 2. above. So set to false to get case 3. Also added a unit test for this. This fix will be present in 8.0.5. Jan
