Middleware> Secure Liferay Session Cookie (JSESSIONID) in WebLogic

Aug19
2013 Written by Scott Rowley

Extract the WEB-INF/weblogic.xml file from your liferay.war:

jar -xvf WEB-INF/weblogic.xml

Edit WEB-INF/weblogic.xml

vi WEB-INF/weblogic.xml

Add the following to the <session-descriptor> tag:

<cookie-secure>true</cookie-secure>

Update your liferay.war file

jar -uf liferay.war WEB-INF/weblogic.xml

Now redeploy your liferay.war (update or delete/install) and your cookie should be changed to Secure: Yes.

Secure Liferay session cookie

Posted in liferay, middleware, Security - Tagged cookie, cookie-secure, liferay, liferay.war, middleware, secure, session, session-descriptor, weblogic, weblogic.xml
«
»

5 Comments
  1. VC's Gravatar VC
    October 10, 2013 at 10:53 am

    Hi,

    Have you ever seen 2 cookies being returned after the change above? I get the renamed session cookie but then also the jsessionid cookie somewhere during the session. Does this change have to be done for all the liferay plugins as well?

    Thanks for the insight!

    • Scott Rowley's Gravatar Scott Rowley
      October 10, 2013 at 11:22 am

      VC,

      As far as I recall this happened to me after I did it as well, going in and removing all cookies from the browser and then trying again fixed it (I think, it’s been awhile).

      The change should only have to be done for each application that you have deployed. Also keep in mind that doing it via this method will mean that if you deploy a new liferay.war you’ll need to remember to make the change again. I’ve since learned to make the change via a deployment plan instead and then just make sure you always apply that deployment plan if you use a new liferay.war. This way you won’t have to make changes every time. You can also use the deployment plan to make other changes such as changing the name, path, domain, etc.

      If you’d like I can create a post that details how to do this as well.

    • Scott Rowley's Gravatar Scott Rowley
      October 10, 2013 at 1:11 pm

      Thanks to Ben for writing up his work for us 😉

      http://www.sudobash.net/creating-a-deployment-plan-in-oracle-weblogic/

  2. VC's Gravatar VC
    October 10, 2013 at 2:33 pm

    Thanks Scott — I’m very interested in how to do this via a deployment plan. Please post more details.

    I cleared all cookies and seems to have corrected it for a little while but then occurs again with a custom theme plugin js file request sending the additional jsessionid ID cookie. It seemed that jsessionid ID cookie gets sent back every time after that.

    I am not sure if this will cause any issues down the road or its safe to ignore.

Corrections? Questions? Comments?

Find an error?
Everything work out great for you?
Have some feedback?
Like to see something added to the article?

PLEASE leave us a comment after the article and let us know how we are doing, or if something needs corrected, improved or clarified.

Thank you!
- The Management

Advertisement

Back to Top