How to set the identifier SESSIONID to httponly and secure

Document ID : KB000007167
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

Portal uese unique identifier SESSIONID during login process . 

This parameter is transferred by using cookies. This does not use the following

HttpOnly - prevents form JavaScript to read sensitive data. 

Secure - prevents from browser to send cookie via HTTP 

Resolution:

To ensure that unique identifier SESSIONID is both secure and HttpOnly

 

1) Make a backup copy of and then edit this file: 

/opt/Deployments/lrs/server/conf/server.xml 

 

2) Change this section: 

<Connector port="37080" maxHttpHeaderSize="8192" 

maxThreads="150" minSpareThreads="25" maxSpareThreads="75" 

enableLookups="false" redirectPort="50443" acceptCount="100" 

connectionTimeout="20000" disableUploadTimeout="true" 

compression="on" 

compressableMimeType="text/plain,text/html,text/xml,text/css,text/javascript,application/x-javascript,application/javascript" 

/> 

 

to this: 

 

<Connector port="37080" maxHttpHeaderSize="8192" 

maxThreads="150" minSpareThreads="25" maxSpareThreads="75" 

enableLookups="false" redirectPort="50443" acceptCount="100" 

connectionTimeout="20000" disableUploadTimeout="true" 

compression="on" 

compressableMimeType="text/plain,text/html,text/xml,text/css,text/javascript,application/x-javascript,application/javascript" 

secure="true" 

/> 

and save the edited file. 

 

3) Make a backup copy of and then edit this file: 

/etc/httpd/conf/httpd.conf

 

4) Add this line (for example, to the end of the file as a new line): 

Header edit Set-Cookie (.*) "$1; HttpOnly" 

and save the edited file. 

 

5) Run these commands to put the change into effect: 

# /opt/Deployments/lrs/server/bin/catalina.sh stop 

# service httpd restart 

# /opt/Deployments/lrs/server/bin/catalina.sh start