Hi,
I performed a small PEN test on my installation of JForum and got a warning that the 'Secure' flag is missing (which is true):
Set-Cookie: jforumAutoLogin=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:10 GMT; Path=/; HttpOnly; SameSite=Strict
Set-Cookie: jforumUserId=1; Max-Age=31536000; Expires=Tue, 10 Mar 2026 19:26:29 GMT; Path=/; HttpOnly; SameSite=Strict
I tried to force the inclusion of that flag through the 'session-config' in web.xml:
<session-config>
<session-timeout>10</session-timeout>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
</session-config>
But for some strange reason it works for all 'Set-Cookie' headers except for jforum* cookies. Very strange.
Is there any other way to enforce inclusion of the 'Secure' flag through JForum? The headers are immutable in the HttpServletResponse class, so it can't be changed efterwards through a filter or something similar.
Thanks.
Regards,
Tommy
The settings in web.xml are only for the session cookie, not for any other cookies that may get set by the web app (see ControllerUtils.addCookie). The problem with always setting the secure flag is that it won't work for HTTP-only installations (which sometimes exist in non-public installations). So the thing to do is to make that dependent on the base URL. For the next release I'll add this:
cookie.setHttpOnly(true);
if (SystemGlobals.getValue(ConfigKeys.FORUM_LINK).startsWith("https"))
cookie.setSecure(true);
but unless you want to recompile the source yourself, there is no external configuration you can apply to make this happen.
![[Logo]](/templates/default/mobile/images/logo.jpg){kind=logo}
