Solve "missing secure attribute in encrypted session (ssl) cookie" with Java

Question

Recently, IBM Security AppScan found an issue that missing secure attribute in encrypted session (ssl) cookie. the report is below:

this app is code by Java and i add a filter to set all cookies secure, code:

public class BasicFilter implements Filter {
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
    HttpServletRequest req = (HttpServletRequest) servletRequest;
    Cookie[] cookies = req.getCookies();
    HttpServletResponse resp = (HttpServletResponse) servletResponse;
    if( cookies != null && cookies.length > 0) {
        for (int i = 0; i < cookies.length; i++) {
            cookies[i].setSecure(true);
            cookies[i].setHttpOnly(true);
            resp.addCookie(cookies[i]);
        }
    }
    filterChain.doFilter(req,resp);
}

@Override
public void destroy() {

}

}

it's works while all cookies response twice like that and it will try to login over and over(login with SSO):

Thanks for your kindly help and how can i do to enable secure and solve cookie issue, hope you guys can give me some idea to solve this issue. Thanks!

additionally, most of the cookies set by single sign-on(sso) and when i test in local, there is no cookie issue due to i don't enable sso in local, hope this message will help you. — Rollsbean, Jun 06 '18 at 09:49

score 0 · Answer 1 · answered Jan 13 '20 at 17:57

The same question is posted in IBM support forum as well. You should be looking into configuration fix. please look here

https://www.ibm.com/support/pages/1505-ifix-po05616-missing-secure-attribute-encrypted-session-ssl-cookie-and-missing-httponly-session-cookie

Solve "missing secure attribute in encrypted session (ssl) cookie" with Java

1 Answers1