SSDM-6285: do not set secure flag for cookies (wouldn't work for http)

762c21e3 · felmer · 29437a25 · 762c21e3 · 762c21e3
Commit 762c21e3 authored 7 years ago by felmer
--- a/datastore_server/source/java/ch/systemsx/cisd/openbis/dss/generic/server/DataStoreServer.java
+++ b/datastore_server/source/java/ch/systemsx/cisd/openbis/dss/generic/server/DataStoreServer.java
@@ -249,10 +249,9 @@ public class DataStoreServer
        servletContextHandler.setAttribute(
                WebApplicationContext.ROOT_WEB_APPLICATION_CONTEXT_ATTRIBUTE,
                ServiceProvider.getApplicationContext());
+        servletContextHandler.getSessionHandler().getSessionCookieConfig().setHttpOnly(true);
        // Disable URL rewriting (forces container to stop appending ";jsessionid=xxx" to urls)
        // to avoid mistakes in URL parsing by download servlets
-        servletContextHandler.getSessionHandler().getSessionCookieConfig().setHttpOnly(true);
-        servletContextHandler.getSessionHandler().getSessionCookieConfig().setSecure(true);
        servletContextHandler.getSessionHandler()
                .setSessionIdPathParameterName(null);
        String applicationName = "/" + DATA_STORE_SERVER_WEB_APPLICATION_NAME;

--- a/openbis_standard_technologies/resource/server/jetty-web.xml
+++ b/openbis_standard_technologies/resource/server/jetty-web.xml
@@ -7,7 +7,6 @@
 	</Call>
    <Get name="sessionHandler">
      <Get name="sessionCookieConfig">
-        <Set name="secure" type="boolean">true</Set>
        <Set name="httpOnly" type="boolean">true</Set>
      </Get>
    </Get>