强制Tomcat通过http使用安全的JSESSIONID cookie [英] Forcing Tomcat to use secure JSESSIONID cookie over http

问题描述

有没有办法在所有场合配置Tomcat 7以创建带有安全标志的JSESSIONID cookie？

Is there a way to configure Tomcat 7 to create JSESSIONID cookie with a secure flag in all occasions?

通常配置会导致Tomcat仅在通过https建立连接时使用安全标记标记会话cookie。但是在我的生产场景中，Tomcat是一个反向代理/负载均衡器，它处理（并终止）https连接并通过http联系tomcat。

Usual configuration results in Tomcat flagging session cookie with secure flag only if connection is made through https. However in my production scenario, Tomcat is behind a reverse proxy/load balancer which handles (and terminates) the https connection and contacts tomcat over http.

我可以以某种方式强制安全使用Tomcat在会话cookie上标记，即使通过普通的http建立连接？

Can I somehow force secure flag on session cookie with Tomcat, even though connection is made through plain http?

推荐答案

最后，与我的初始测试相反，web.xml解决方案在Tomcat 7上为我工作。

In the end, contrary to my initial tests, web.xml solution worked for me on Tomcat 7.

例如我将此片段添加到web.xml，它将会话cookie标记为安全，即使反向代理通过纯HTTP联系tomcat。

E.g. I added this snippet to web.xml and it marks session cookie as secure even when reverse proxy contacts tomcat over plain HTTP.

<session-config>
    <cookie-config>
        <http-only>true</http-only>
        <secure>true</secure>
    </cookie-config>
</session-config>

这篇关于强制Tomcat通过http使用安全的JSESSIONID cookie的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！