Bug#769682: Secure and HttpOnly flags are not set for cookies with Jenkins on Tomcat
Yann Rouillard
yann at pleiades.fr.eu.org
Mon Nov 17 21:20:46 UTC 2014
Hi Florian,
Yes it could be seen that way, as we discussed with Emmanuel during the
Paris BSP today, but in fact it's even better, I checked and there is no
problem with Tomcat as the Secure flag as it already automatically set
with the default configuration:
- if Tomcat is accessed through the HTTPS connector, all cookies are
secure thanks to the connector Secure option which is set by default,
- if Tomcat is accessed through the AJP13 connector, Apache (or other
webserver) transfers through the AJP protocol the information wether the
connexion was through SSL or not, Tomcat uses it to set the Secure flag
accordingly.
So the upstream patch perfectly solves the issue and I was able to apply it
successfully on the current package source:
https://github.com/yannrouillard/pkg-jenkins
Yann
2014-11-15 18:21 GMT+01:00 Florian Weimer <fw at deneb.enyo.de>:
> > There is already an upstream bug for this problem located at this url:
> > https://issues.jenkins-ci.org/browse/JENKINS-25019
> > with a proposed fix that only adresses the HttpOnly issue for Tomcat.
>
> Why isn't the missing “secure” flag a Tomcat configuration issue?
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20141117/196f449d/attachment.html>
More information about the pkg-java-maintainers
mailing list