Secure Cookie Attribute
The Secure Cookie attribute controls whether browsers should enforce the encrypted transmission of cookies. This prevents some types of attacks, as the enforced encrypted transmission prevents the session cookie from being read and modified.
Meridian ships with a default HTTP configuration and therefore the Secure Cookie Attribute for the session cookie is set to false.
For production environments in which HTTPS is used, it is highly recommended to activate this flag.
Enforce encrypted transmission of the session cookie
To change the Secure Cookie Attribute for the session cookie, you must edit $OPENNMS_HOME/jetty-webapps/opennms/WEB-INF/web.xml:
+
<session-config>
  <cookie-config>
    <http-only>true</http-only>
    <secure>false</secure> (1)
    <comment>__SAME_SITE_STRICT__</comment>
  </cookie-config>
  <session-timeout>-1</session-timeout>
</session-config>| 1 | Replace falsewithtrueto secure the session cookie. |