Secure Cookie Attribute

The Secure Cookie attribute controls whether browsers should enforce the encrypted transmission of cookies. This prevents some types of attacks, as the enforced encrypted transmission prevents the session cookie from being read and modified.

Horizon ships with a default HTTP configuration and therefore the Secure Cookie Attribute for the session cookie is set to false. For production environments in which HTTPS is used, it is highly recommended to activate this flag.

To change the Secure Cookie Attribute for the session cookie, you must edit $OPENNMS_HOME/jetty-webapps/opennms/WEB-INF/web.xml:

+

<session-config>
  <cookie-config>
    <http-only>true</http-only>
    <secure>false</secure> (1)
    <comment>__SAME_SITE_STRICT__</comment>
  </cookie-config>
  <session-timeout>-1</session-timeout>
</session-config>
1 Replace false with true to secure the session cookie.