Details
-
Feature Request
-
Resolution: Done
-
Major
-
2.0.0.Alpha1, 1.4.20.Final
-
None
Description
In EAP 6.x/JBossWeb, Secure Cookie is enabled when the request comes from secure channel. In particular, secure flag is automatically added to response cookies when the request comes through https or ajp with is_ssl=true, or secure attribute is set to the connector.
This behavior is useful in some scenario. For example, imagine the following architechture:
+--------+ +--------+ +--------+ | |--(http://www.example.com)---> | LB |-(http/ajp)->| JBoss | | client | | Apache | | EAP | | |-(https://secure.example.com)->| httpd |-(http/ajp)->| 6.x | +--------+ +--------+ +--------+
Client browsers access same application through two URIs, non-secure one http://www.example.com and secure one https://secure.example.com. In this case, customers want to enable secure flag only for https://secure.example.com. web.xml <cookie-config> setting can not achieve this requirement because it enables secure cookie on any access to the application.
I would like to propose the configurable option (the system property named like io.undertow.legacy.cookie.SECURE_COOKIE_FOR_HTTPS) to provide a backward compatible switch to enable such feature.
If you consider this is useful and/or approve the request, I'll send the following proposed patch as PR:
https://github.com/undertow-io/undertow/compare/master...msfm:master_Secure_Cookie?expand=1