By default Clarity and Tomcat session cookies do not have 'secure' and or 'http-only' attributes configured. Clarity r13.1.x and greater now support 'secure' and/or http-only cookies, however addition configuration is required to enable both 'sessionID' and JSESSION cookies.
Note: You must have SSL enabled to leverage 'secure' cookies. Using a non-SSL URL will cause the session to timeout immediately.
Steps to Reproduce :
Expected Result: Secure and http-only would be configured for both 'sessionID' and 'JSESSION' cookies.
Actual Result: Cookies are not 'secure' and 'http-only' is not set.
JSESSION: Tomcat session management cookie.
sessionid: Clarity user session cookie.
Secure = true: Using the Secure option you can tell the browser (or other http clients) to only send the cookie over SSL connections.
Http-Only: is an option which specifies that the cookie (session identifiers included) should not be accessed from the application DOM.
Combining the Secure setting and http-only flag helps to introduce a more robust cookie that is less prone to attacks. Combined they allow the browser to restrict access to secure cookie data from scripts within the web browser. This limits the potential damage many cross site script attacks can cause - specifically, the attacks that target cookie data.
You should set this to Secure=true ONLY if you are only serving https content, for mixed content this setting in NOT supported. This isonly supported on r13.1.x or greater.
Prerequisite: Be on a supported version of Clarity PPM then enable Full SSL for Clarity and follow the configuration steps below.
Steps to enable Secure cookie and http-only on sessionid
Steps to enable Secure and http-only on JSESSION (Optional for Clarity as JSESSION is not used by Clarity)
<session-config> <session-timeout>30</session-timeout> <cookie-config> <http-only>true</http-only> <secure>true</secure> </cookie-config> </session-config>