Recently, IBM Security AppScan found an issue that missing secure attribute in encrypted session (ssl) cookie. the report is below:
this app is code by Java and i add a filter to set all cookies secure, code:
public class BasicFilter implements Filter {
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) servletRequest;
Cookie[] cookies = req.getCookies();
HttpServletResponse resp = (HttpServletResponse) servletResponse;
if( cookies != null && cookies.length > 0) {
for (int i = 0; i < cookies.length; i++) {
cookies[i].setSecure(true);
cookies[i].setHttpOnly(true);
resp.addCookie(cookies[i]);
}
}
filterChain.doFilter(req,resp);
}
@Override
public void destroy() {
}
}
it's works while all cookies response twice like that and it will try to login over and over(login with SSO):
Thanks for your kindly help and how can i do to enable secure and solve cookie issue, hope you guys can give me some idea to solve this issue. Thanks!
The same question is posted in IBM support forum as well. You should be looking into configuration fix. please look here
https://www.ibm.com/support/pages/1505-ifix-po05616-missing-secure-attribute-encrypted-session-ssl-cookie-and-missing-httponly-session-cookie