httponly cookie web 3.0 causing unexpected timeout

Question

Just recently, I migrated from web 2.4 to web 3.0. One of the requirements of this migration was that, I need to introduce the 'httponly' cookie in my application. So, I added the following sessionconfig element to my web.xml

<session-config>
<session-timeout>240</session-timeout>
<cookie-config>
        <http-only>true</http-only>
        <secure>true</secure>
</cookie-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>

Adding the above sessionconfig into my web.xml is causing an unexpected timeout. I am able to login into my application but after that when I click on anything else, I get kicked out with a message that says 'Session Expired'. Am I doing anything wrong? Any help would be much appreciated

Desislav Kamenov · Accepted Answer · 2015-08-04T13:45:38.470

1

<secure>true</secure> means that your browser will send the cookies back to the server only via HTTPS and not via HTTP, so if you are accessing the site via HTTP, then after login you will send no cookie.

edited Aug 04 '15 at 13:45

answered Oct 14 '12 at 06:24

Desislav Kamenov

1,193
6
13

Thanks very much desislav. Should I get rid of true since my site is only accessed using http and not https? – user1066568 Oct 14 '12 at 10:57

score 0 · Answer 2 · answered Jul 01 '15 at 12:27

I agree with Desislav Kamenov. I faced this problem over HTTP and when I removed true it worked. So the correct configuration for both HTTP and HTTPS are as follows:-

HTTP:-

<session-config>
<cookie-config>
    <http-only>true</http-only>
</cookie-config>
</session-config>

HTTPS:

<session-config>
<cookie-config>
    <http-only>true</http-only>
     <secure>true</secure>
</cookie-config>

httponly cookie web 3.0 causing unexpected timeout

2 Answers2