...
If you are going to set up an encypted connection to PhixFlow, i.e. access via HTTPS (see Configure tomcat for HTTPS), you may also want to set the secure flag on cookies. This is a further security measure that reduces the risk of the cookies that PhixFlow creates being maliciously used to gain unauthorised access, and is a commonly used setting for web applications (https://www.owasp.org/index.php/SecureFlag). To do this, add a <cookie-config> block to the <session-config> block in the web.xml file, as in the example below:.
| Note |
|---|
This also sets the HTTP only flag, another common hardening measure for web applications. In fact, this is set by default, but it can be useful to explicitly set this in your configuration for clarity, and to assist with any security audits you may wish to undertake. |
| Code Block |
|---|
<session-config>
<session-timeout>720</session-timeout>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
</session-config> |
...