How to get jetty to send jsessionid-cookies with the secure-flag when using a secure channel

Question

I am using Tomcat in my production environment and jetty in my testing environment (via jetty-maven-plugin).

Tomcat sets the secure-flag on a jsessionid-cookie, when it is sendig it over a secure channel (https), which looks like a good idea to me, becaus it prevents the session from being exposed, when the user klicks on a http://-link. But Jetty does not so!

I would like to force Jetty to behave like Tomcat and always set the secure-flag on jsessionid-cookies send over a secure channel, because otherwise, my testing environment behaves considerably diffrent then my production environment. But I cannot find any configuration option to achive this.

I am also wondering, if this is a security-bug in Jetty. Because not marking a jsessionid-cookie send over a secure channel as secure reveals the secure session if the user switches back to an unsecure channel.

Answer 1

I am adding the following just to show the complete example that worked for me.

Put the following in WEB-INF/jetty-web.xml

<?xml version="1.0"  encoding="ISO-8859-1"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure.dtd">

<Configure class="org.eclipse.jetty.webapp.WebAppContext">
    <Get name="sessionHandler">
        <Get name="sessionManager">
            <Set name="secureCookies" type="boolean">true</Set>
        </Get>
    </Get>
</Configure>