Issue when adding flag httpOnly to cookie

Submitted by lbl1507 on Wed, 01/04/2023 - 16:26

Hi everyone,

I tried to deploy bonita portal in our infrastructure where the flag httpOnly is force to the cookie in our frontend. To have more information on this flag, here is some documentation :

See below the frontal configuration that set the cookie (if I remove this part everything works normally) :

Header edit Set-Cookie "(?i)^(.*);[\s]*HttpOnly[\s]*(.*)$" "$1$2"
Header edit Set-Cookie (.*) "$1; HttpOnly"

I think that there is an issue when the flag httpOnly is set in the cookie during authentification on the portal. Because when this flag is set on the cookie, we loose the X-Bonita-API-Token header containing the token and all requests made from the portal that required this token failed (error 401 due to absence of the token). I don't know where this header is setup but maybe something goes wrong when the cookie is parsed in this case ?

Can anyone can confirm the problem or tell me where to report this issue ?

Best,
Leo.

#authentication #bonita #cookie #token

Log in or register to post comments
715 reads

1 answer

Submitted by romain.bioteau on Sat, 01/07/2023 - 12:33

Hi,

Did you try the tomcat configuration way ?

Open `web.xml` and add below in `session-config` section
<code lang="xml">
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
</code>

HTH
Romain

Log in or register to post comments
63 reads