Skip to main content
Waters Employee Login
 
Waters

How to enable SameSite, HTTP-only, and secure cookies in Apache Tomcat - WKB202740

  1. Last updated
  2. Save as PDF
Article number: 202740

OBJECTIVE or GOAL

Enable the HTTPOnly and Secure attributes for cookies as sent by Apache Tomcat.

ENVIRONMENT

  • NuGenesis 9 SDMS
    • Apache Tomcat versions 9.0.x
  • NuGenesis 8 SDMS
    • Apache Tomcat versions 6.0.29 - 8.5.x

PROCEDURE

For Apache Tomcat 9 (NuGenesis 9.x) or Apache Tomcat 7.x/8.x (NuGenesis 8 upgraded from the default Tomcat v6.0.29):

  1. Use Notepad to edit the file in Drive:\Program Files (x86)\Waters\apache-tomcat-x.y.z\webapps\WebVision\WEB-INF\web.xml
  2. Add the following lines to the file, below the web-app tag and above the first <servlet> tag:
    •     <session-config>
          <cookie-config>
              <http-only>true</http-only>
              <secure>true</secure>
          </cookie-config>
          </session-config>
  3. Save and close web.xml.
  4. Use Notepad to edit the file in Drive:\Program Files (x86)\Waters\apache-tomcat-x.y.z\webapps\NGAudit\WEB-INF\web.xml
  5. Add the following lines to the file, below the web-app tag and above the first <servlet> tag:
    •     <session-config>
          <cookie-config>
              <http-only>false</http-only>
              <secure>true</secure>
          </cookie-config>
          </session-config>
  6. Use Notepad to edit the file in Drive:\Program Files (x86)\Waters\apache-tomcat-x.y.z\conf\context.xml
  7. Add the following line to the file, below the <Context> tag:
    • <CookieProcessor className="org.apache.tomcat.util.http.Rfc6265CookieProcessor" sameSiteCookies="strict" />
  8. Save and close context.xml
  9. Restart the Apache Tomcat service.

For Apache Tomcat 6.0.29 (default version with NuGenesis 8):

  1. Use Notepad to edit the file in Drive:\Program Files (x86)\apache-tomcat-6.0.29\conf\server.xml.
  2. Look for the following line:
    • <Context path="/servlet" docBase="WebVision" debug="0" reloadable="true" />
  3. Add the cookies and useHttpOnly attributes to that tag:
    • <Context path="/servlet" docBase="WebVision" debug="0" reloadable="true" cookies="true" useHttpOnly="true" />
  4. Save and close server.xml.
  5. Restart the Apache Tomcat service.

ADDITIONAL INFORMATION

The context entry for "/ngaudit/servlet" is for the legacy SDMS Audit Trail Viewer. That application uses Javascript to get the session ID from the cookie, so useHttpOnly must be set to False. That is the default configuration for NuGenesis 9.x.

Setting the Secure attribute is not possible in Apache Tomcat 6.x. The "cookie-config" tag was introduced in Apache Tomcat 7.

id202740, SDMS, SDMS8, SDMS8NU, SUPISDMS, SUPNG

Not able to find a solution? Click here to request help.