Does the Jetty Maven Plugin 8.0.0.M3 support all of Servlet 3?
I have the following in my web.xml:
<session-config>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
<session-timeout>15</session-timeout>
<tracking-mode>COOKIE</tracking-mode>
</sess开发者_JAVA技巧ion-config>
However, according to OWASP's Zed Attack Proxy (https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project), cookies are still being set by Spring Security w/o the httpOnly or secure flags.
If I deploy the same app in Tomcat 7, it appears to honor these settings from web.xml.
Solution: Put the elements in the correct order:
<session-config>
<session-timeout>15</session-timeout>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
精彩评论