cookieSecure
property can have one of the following values:-
true
: All JSESSIONID cookies created by the container on behalf of the web application will be marked as secure
.-
false
: All JSESSIONID cookies created by the container on behalf of the web application will be marked as non-secure
.-
dynamic
(default): A JSESSIONID cookie created by the container on behalf of the web application will inherit its security setting from the request that initiated the correspoding session: If the session was initiated by an HTTPS request, its JSESSIONID cookie will be marked as secure, and will remain non-secure otherwise.Since the default value is
dynamic
, if the 1st page a user goes to is a HTTPS page (e.g. Login page), the cookie given to the user will be marked as secure
. As a result, in many cases, subsequent non-secure HTTP pages may not be able to use the obtained cookie and thus, the user would be asked to log in one more time.To overcome this issue, one way is to override the
cookieSecure
property's default value and change it to false
. You can achieve this goal by updating the glassfish-web.xml
file to include the following lines:Note:
- If cookie settings are defined declaratively in the
web.xml
file, the cookie properties defined here will take precedence. - If cookie settings are defined programmatically using
javax.servlet.SessionCookieConfig
methods, those cookie settings will take precedence over the cookie properties defined here.
No comments:
Post a Comment