Pax Web 8.0.22 (Karaf 4.4.4) - Session cookie config support

26 views
Skip to first unread message

Ivaylo M

unread,
Jan 17, 2024, 4:14:40 AM1/17/24
to OPS4J
Hi  Grzegorz , 

First off, thank you so much for the Pax Web 8 effort. It really helps to have a proper implementation of the OSGi R6/7 http and whiteboard service specs.

Quick question - are the <session-config> and <cookie-config> elements in web deployment descriptors supported now? I found a note they weren't in Pax Web 4, but a lot must have changed since. These elements seem to be ignored in our app.

Related, I cannot seem to get the session cookie to be configured with the Secure flag via the org.ops4j.pax.web.cfg file in Karaf 4.4.4.

Setting org.ops4j.pax.web.session.cookie.secure = true has no effect if the connector used is http (non-secure). 

In my mind, if org.ops4j.pax.web.session.cookie.secure is set, the flag should be set in the cookie header, no matter the connector/transport. We offload TLS at the load balancer, and this use case is rather common.

I had to use the  jetty-web.xml to set the session cookie config secure flag to true to work around it.

    <Get name="sessionHandler">
        <Get name="sessionCookieConfig">
            <Set name="secure" type="boolean">true</Set>
        </Get>
    </Get>

But something is still off, because when I get the SessionConfig via the ServletContext, the getSessionCookieConfig().isSecure() returns false.

Before I spend any more time on it, please let me know if there is something significant that I must be missing.

Thanks,
Ivaylo




Grzegorz Grzybek

unread,
Jan 17, 2024, 5:20:30 AM1/17/24
to op...@googlegroups.com
Hello

I think there may be something wrong with the "secure" flag... Just as with the timeout (https://github.com/ops4j/org.ops4j.pax.web/issues/1912), I may have missed something... Good that there's a workaround for Jetty.

Please create an issue at https://github.com/ops4j/org.ops4j.pax.web/issues specifying the problem - I'll have a look at it soon.

regards
Grzegorz Grzybek

--
--
------------------
OPS4J - http://www.ops4j.org - op...@googlegroups.com

---
You received this message because you are subscribed to the Google Groups "OPS4J" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ops4j+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ops4j/2a45d4a7-d109-43b8-9b3b-416b736f8331n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages