From 762c21e3b3f8ff887766214fada0857541ecdddc Mon Sep 17 00:00:00 2001
From: felmer <franz-josef.elmer@id.ethz.ch>
Date: Wed, 28 Mar 2018 07:58:25 +0200
Subject: [PATCH] SSDM-6285: do not set secure flag for cookies (wouldn't work
 for http)

---
 .../cisd/openbis/dss/generic/server/DataStoreServer.java       | 3 +--
 openbis_standard_technologies/resource/server/jetty-web.xml    | 1 -
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/datastore_server/source/java/ch/systemsx/cisd/openbis/dss/generic/server/DataStoreServer.java b/datastore_server/source/java/ch/systemsx/cisd/openbis/dss/generic/server/DataStoreServer.java
index 66dc6025c27..f9ca5aa9dd9 100644
--- a/datastore_server/source/java/ch/systemsx/cisd/openbis/dss/generic/server/DataStoreServer.java
+++ b/datastore_server/source/java/ch/systemsx/cisd/openbis/dss/generic/server/DataStoreServer.java
@@ -249,10 +249,9 @@ public class DataStoreServer
         servletContextHandler.setAttribute(
                 WebApplicationContext.ROOT_WEB_APPLICATION_CONTEXT_ATTRIBUTE,
                 ServiceProvider.getApplicationContext());
+        servletContextHandler.getSessionHandler().getSessionCookieConfig().setHttpOnly(true);
         // Disable URL rewriting (forces container to stop appending ";jsessionid=xxx" to urls)
         // to avoid mistakes in URL parsing by download servlets
-        servletContextHandler.getSessionHandler().getSessionCookieConfig().setHttpOnly(true);
-        servletContextHandler.getSessionHandler().getSessionCookieConfig().setSecure(true);
         servletContextHandler.getSessionHandler()
                 .setSessionIdPathParameterName(null);
         String applicationName = "/" + DATA_STORE_SERVER_WEB_APPLICATION_NAME;
diff --git a/openbis_standard_technologies/resource/server/jetty-web.xml b/openbis_standard_technologies/resource/server/jetty-web.xml
index e88a2c19344..c5d95dbcbaf 100644
--- a/openbis_standard_technologies/resource/server/jetty-web.xml
+++ b/openbis_standard_technologies/resource/server/jetty-web.xml
@@ -7,7 +7,6 @@
 	</Call>
     <Get name="sessionHandler">
       <Get name="sessionCookieConfig">
-        <Set name="secure" type="boolean">true</Set>
         <Set name="httpOnly" type="boolean">true</Set>
       </Get>
     </Get>
-- 
GitLab