Undestanding how secure/httponly cookie works for java applications

Question

I have been having a behaviour that I can only qualify as weird due to my current level of understanding of this.

I have apache version : 2.4.7 on Ubuntu proxying through AJP 1.3 tomcat 7.0.52.0 running a spring application (MVC) with apache shiro 1.2 as security framework.

I have set headers entry in apache2.conf as shown below

Header always append X-Frame-Options SAMEORIGIN
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

I have the very same behaviour if flags is enforced on tomcat side using either or all of the methods below:

• conf/context.xml with useHttpOnly="true" attribute of the context tag
• conf/server.xml with secure="true" attribute of the ajp or http

• connector WEB-INF/web.xml with the following

  <cookie-config> <http-only>true</http-only> <secure>true</secure> </cookie-config>

After this what happens is that at at /login there is a secure and httponly flag, after the authentication is successful all these flags vanish within the app, throughout any call to the server. Once the user logs out, the flags come back with an extra one : DeleteMe on both the jsessionid and RememberMe.

This /login page creates the jsessionid with secure and httponly flags

When the authentication is successful the 2 step auth jsessionid has no flags

In the account dashboard too there is no flag

But at the logout the flags are back

My questions though are

1: is this the usual behaviour
2: If this is the actual behaviour, does this mean the cookie is secure throughout the life of the session id?

Answer 1

This is not usual behavior/observation, as those flags are not applicable to the Cookie request header as sent to a server to maintain state. The values received are used by, but not transmitted by, the client. You're being mislead by that diagnostic interface showing the columns for the Cookie header. Set-Cookie and Cookie are not symmetrical this way.

The only way to tell if your non-browser client honors the "SECURE" setting is to coax it into sending a non-HTTPS request to the same domain/path specified in the cookie and observing if it omits the cookie previously set as SECURE.