Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-31750

Non-secure cookie LFR_SESSION_STATE_XXXXXX is created when connected over HTTPS

    Details

      Description

      The cookie that keeps track of the user session timestamp - LFR_SESSION_STATE_XXXXXX is created twice. The first time the security flag is not set. The second time the secure flag is set (and the path points to "/").

      Steps to reproduce:
      1. Open a browser and clear all the cookies (at least the ones that look like LFR_SESSION_STATE_XXXXX, where XXXXXX is a number representing the user ID).
      2. Log in to Liferay over HTTPS connection.
      3. Check the cookies that are created for the user - there are 2 of them - one with the secure flag set and one without the secure flag.

      It can be reproduced on https://www.liferay.com as well.

      Note that the secure flag is not set if the connection goes over HTTP (non-secure connection).

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              pani.gui Pani Gui (Inactive)
              Reporter:
              vilmos.papp Vilmos Papp
              Participants of an Issue:
              Recent user:
              Esther Sanz
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Days since last comment:
                7 years, 44 weeks, 6 days ago

                  Packages

                  Version Package
                  6.1.2 CE GA3
                  6.1.30 EE GA3
                  6.2.0 CE M3