AmadeusITGroup / HttpSessionReplacer

Store JEE Servlet HttpSessions in Redis
MIT License
49 stars 33 forks source link

Cookie is not secure #31

Closed benjaminhilaire closed 6 years ago

benjaminhilaire commented 6 years ago

Hello, Even if we set the value com.amadeus.session.cookie.secure to true, the cookie is created by HttpSessionReplacer but not secure

nbogojevic commented 6 years ago

This is being fixed in PR #34 Problem occurred as library was setting secure cookie only when the request was over secure channel. In particular case the incoming request was not detected by server as over secured channel, as it was behind a load balancer that was terminating HTTPS traffic.

nbogojevic commented 6 years ago

The issue has been fixed in version 0.4.7.