How to enable SameSite, HTTP-only, and secure cookies in Apache Tomcat - WKB202740
Article number: 202740
OBJECTIVE or GOAL
Enable the HTTPOnly and Secure attributes for cookies as sent by Apache Tomcat.
ENVIRONMENT
- NuGenesis 9 SDMS
- Apache Tomcat versions 9.0.x
- NuGenesis 8 SDMS
- Apache Tomcat versions 6.0.29 - 8.5.x
PROCEDURE
For Apache Tomcat 9 (NuGenesis 9.x) or Apache Tomcat 7.x/8.x (NuGenesis 8 upgraded from the default Tomcat v6.0.29):
- Use Notepad to edit the file in Drive:\Program Files (x86)\Waters\apache-tomcat-x.y.z\webapps\WebVision\WEB-INF\web.xml
- Add the following lines to the file, below the web-app tag and above the first <servlet> tag:
- <session-config>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
</session-config>
- <session-config>
- Save and close web.xml.
- Use Notepad to edit the file in Drive:\Program Files (x86)\Waters\apache-tomcat-x.y.z\webapps\NGAudit\WEB-INF\web.xml
- Add the following lines to the file, below the web-app tag and above the first <servlet> tag:
- <session-config>
<cookie-config>
<http-only>false</http-only>
<secure>true</secure>
</cookie-config>
</session-config>
- <session-config>
- Use Notepad to edit the file in Drive:\Program Files (x86)\Waters\apache-tomcat-x.y.z\conf\context.xml
- Add the following line to the file, below the <Context> tag:
- <CookieProcessor className="org.apache.tomcat.util.http.Rfc6265CookieProcessor" sameSiteCookies="strict" />
- Save and close context.xml
- Restart the Apache Tomcat service.
For Apache Tomcat 6.0.29 (default version with NuGenesis 8):
- Use Notepad to edit the file in Drive:\Program Files (x86)\apache-tomcat-6.0.29\conf\server.xml.
- Look for the following line:
- <Context path="/servlet" docBase="WebVision" debug="0" reloadable="true" />
- Add the cookies and useHttpOnly attributes to that tag:
- <Context path="/servlet" docBase="WebVision" debug="0" reloadable="true" cookies="true" useHttpOnly="true" />
- Save and close server.xml.
- Restart the Apache Tomcat service.
ADDITIONAL INFORMATION
The context entry for "/ngaudit/servlet" is for the legacy SDMS Audit Trail Viewer. That application uses Javascript to get the session ID from the cookie, so useHttpOnly must be set to False. That is the default configuration for NuGenesis 9.x.
Setting the Secure attribute is not possible in Apache Tomcat 6.x. The "cookie-config" tag was introduced in Apache Tomcat 7.
id202740, SDMS, SDMS8, SDMS8NU, SUPISDMS, SUPNG