How to remove session cookie's secure flag using mod_header?

Question

My Apache Tomcat is running behind an Apache httpd web server connected via mod_jk.

When a browser requests https page (rather than http) as its first session request, Tomcat sends a session cookie with secure flag which makes user's logged in session unavailable for http pages later.

How can I remove session cookies' secure flag using mod_header?

I already tried to add an option into web.xml like below.

<session-config>
 <cookie-config>
  <secure>false</secure>
 </cookie-config>
</session-config>

However, it doesn't work. I guess this option doesn't make servlet request not secure, and Tomcat will put the secure flag on session cookies unless both context's session config and servlet request are not secure.

score 3 · Accepted Answer · answered Apr 07 '15 at 04:19

3

Here is my own solution added to httpd-vhost.conf for now:

Header edit* Set-Cookie "(JSESSIONID=.*)(; Secure)" "$1"

answered Apr 07 '15 at 04:19

hotohoto

490
8
20

How to remove session cookie's secure flag using mod_header?

1 Answers1