0

Am using Jetty 9.2.25 which has Servlet 3.1. I have below cookie configuration in my web.xml

<session-config>
<cookie-config>
<http-only>true</http-only>
<secure>false</secure>
</cookie-config>
</session-config>

When I set this secure flag as true, it's working. But when I set it as false as shown above and access https site, the secure flag is getting modified to true and I am not able to access http site. I don't understand how is this happening? Is this the default behaviour? I tried to check the Servlet release notes, but there's no such update.

Any idea regarding this behaviour?

How can I make the secure as false when I access https?

Thanks in advance.

mymiracl
  • 583
  • 1
  • 16
  • 24
Suman
  • 21
  • 2
  • 6

1 Answers1

0

Jetty 9.2.x is EOL (End of Life).

In Jetty 9.4.x (current supported / stable releases of Jetty), you would configure your SessionHandler to not have secure requests on by default to achieve the behavior you want.

SessionHandler.setSecureRequestOnly(false);

Note: this feature is not available in Jetty 9.2.x

Joakim Erdfelt
  • 46,896
  • 7
  • 86
  • 136