Hi,
I performed a small PEN test on my installation of JForum and got a warning that the 'Secure' flag is missing (which is true):
Set-Cookie: jforumAutoLogin=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:10 GMT; Path=/; HttpOnly; SameSite=Strict
Set-Cookie: jforumUserId=1; Max-Age=31536000; Expires=Tue, 10 Mar 2026 19:26:29 GMT; Path=/; HttpOnly; SameSite=Strict
I tried to force the inclusion of that flag through the 'session-config' in web.xml:
<session-config>
<session-timeout>10</session-timeout>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
</session-config>
But for some strange reason it works for all 'Set-Cookie' headers except for jforum* cookies. Very strange.
Is there any other way to enforce inclusion of the 'Secure' flag through JForum? The headers are immutable in the HttpServletResponse class, so it can't be changed efterwards through a filter or something similar.
Thanks.
Regards,
Tommy
![[Logo]](/templates/default/images/logo.jpg){kind=logo}
![[Search]](/templates/default/images/icon_mini_search.gif){kind=icon}
![[Recent Topics]](/templates/default/images/icon_mini_recentTopics.gif){kind=icon}
![[Groups]](/templates/default/images/icon_mini_groups.gif){kind=icon}
![[Register]](/templates/default/images/icon_mini_register.gif){kind=icon}
![[Login]](/templates/default/images/icon_mini_login.gif){kind=icon}
![[Post New]](/templates/default/images/icon_minipost_new.gif){kind=icon}
![[Up]](/templates/default/images/icon_up.gif){kind=icon}
