Secure authentication cookie

Hi Guys,

I would like to make the authentication cookie secure. For that I added below config to application’s web.xml.


<session-config>
  	<cookie-config>
  		<secure>true</secure>
  	</cookie-config>
  </session-config>

Now after the successful login, I am not able to navigate to any other page. The application throws error javax.faces.application.ViewExpiredException.

It appears the MWS server is not validating the jsessionid on page navigation that is used to identify user’s session.

Do you have any thoughts on why jessionid is invalidated after successful login?

Stacktrace -
(javax.enterprise.resource.webcontainer.jsf.context:WARN) - javax.faces.application.ViewExpiredException: viewId:/page.xhtml - View /page.xhtml could not be restored
.
at com.sun.faces.lifecycle.RestoreViewPhase.execute(RestoreViewPhase.java:210)
at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:101)
at com.sun.faces.lifecycle.RestoreViewPhase.doPhase(RestoreViewPhase.java:121)
at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:198)
at com.webmethods.caf.faces.servlet.CAFFacesServlet.service(CAFFacesServlet.java:139)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:808)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:587)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:595)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at org.eclipse.jetty.server.Dispatcher.forward(Dispatcher.java:191)
at org.eclipse.jetty.server.Dispatcher.forward(Dispatcher.java:72)
at com.webmethods.portal.framework.presentation.renderers.DefaultRenderer.render(DefaultRenderer.java:324)
at com.webmethods.portal.framework.presentation.PresentationManager.handlePres(PresentationManager.java:434)
at com.webmethods.portal.framework.dispatch.DispatchManager.pres(DispatchManager.java:703)
at com.webmethods.portal.framework.dispatch.DispatchManager.handle(DispatchManager.java:533)
at com.webmethods.portal.framework.dispatch.DispatchManager.handleDispatch(DispatchManager.java:432)
at com.webmethods.portal.framework.impl.PortalServlet.service(PortalServlet.java:329)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)

Kind regards,
Raj

Per: https://tools.ietf.org/html/rfc6265#section-4.1.2.5

When a secure flag is used, then the cookie will only be sent over HTTPS, which is HTTP over SSL/TLS

Plus, I believe MWS would already set the secure flag for https connections without you doing anything special.

Thanks Eric. It is clear to me now :slight_smile: Yes I verified MWS by default is setting this flag on HTTPs.

Kind regards,
Raj