System Administrator

Cookie JSessionId not secure

Question

Our security team has reported that the cookie JSessionId is not secure, what can we do?

Answer

This cookie is being generated by Tomcat and the secure flag will be set to true if Tomcat detects that an SSL connection is being used.

To do so, you have to follow this documentation, especially the parts related to the RemoteIpValve and to the Apache2 front-ends.