(HTCC-28103) |
|||
| Line 1: | Line 1: | ||
= Secure Cookies= | = Secure Cookies= | ||
| − | Web Services uses the secure flag option to | + | Web Services uses the '''secure''' flag option when sending a new cookie to the user within an HTTP Response. The purpose of the '''secure''' flag is to prevent cookies from being observed by unauthorized parties due to the transmission of a the cookie in clear text. |
| − | [[Documentation:HTCC:Dep:HTCCConfigurationOptionsReference:8.5.2#cookies|cookies]] configuration option, the browser will | + | |
| + | ==Enabling the '''secure''' flag== | ||
| + | |||
| + | Set the '''cookies''' option in the '''jetty''' section of the '''application.yaml''' file on your Web Services nodes ('''server-settings.yaml''' if you're installing Web Services and Applications version 8.5.201.09 or earlier). For details, see [[ConfigurationPremise|Configuring Web Services]]. | ||
| + | <source lang="text"> | ||
| + | cookies: | ||
| + | httpOnly: true | ||
| + | secure: true | ||
| + | </source> | ||
| + | |||
| + | ===Sample Cookie Header when '''secure''' flag is not set=== | ||
| + | <pre>Set-Cookie: MyCookieName=The value of my cookie; path=/; HttpOnly</pre> | ||
| + | |||
| + | ===Sample Cookie Header when '''secure''' flag is set=== | ||
| + | <pre>Set-Cookie: MyCookieName=The value of my cookie; path=/; secure</pre> | ||
| + | |||
| + | When the cookie is declared as secure in the | ||
| + | [[Documentation:HTCC:Dep:HTCCConfigurationOptionsReference:8.5.2#cookies|cookies]] configuration option, the browser will prevent the transmission of a cookie over an unencrypted channel. | ||
| + | |||
[[Category:V:HTCC:8.5.2DRAFT]] | [[Category:V:HTCC:8.5.2DRAFT]] | ||
Revision as of 15:14, November 2, 2017
Secure Cookies
Web Services uses the secure flag option when sending a new cookie to the user within an HTTP Response. The purpose of the secure flag is to prevent cookies from being observed by unauthorized parties due to the transmission of a the cookie in clear text.
Enabling the secure flag
Set the cookies option in the jetty section of the application.yaml file on your Web Services nodes (server-settings.yaml if you're installing Web Services and Applications version 8.5.201.09 or earlier). For details, see Configuring Web Services.
cookies:
httpOnly: true
secure: trueSample Cookie Header when secure flag is not set
Set-Cookie: MyCookieName=The value of my cookie; path=/; HttpOnly
Sample Cookie Header when secure flag is set
Set-Cookie: MyCookieName=The value of my cookie; path=/; secure
When the cookie is declared as secure in the cookies configuration option, the browser will prevent the transmission of a cookie over an unencrypted channel.
Comments or questions about this documentation? Contact us for support!