cookies Secure flag set to false

[alexarobu]

Hi,

It's been flagged to us that the cookies' secure flag is set to false when it should be set to true.
This seems to suggest that it's not intentional:

core-geonetwork/web/src/main/filters/prod.properties

Lines 46 to 47 in 03c2aae

	# set to true to have cookies flagged as Secure in production (requires HTTPS)
	cookieSecureFlag=false

I am running GeoNetwork in a Docker container, on version 4.2.5 (also happens on version 4.2.9)

I tried overwriting the web.xml file to set the value to true instead of using the variable:

core-geonetwork/web/src/main/webResources/WEB-INF/web.xml

Line 548 in 8535b35

<secure>${cookieSecureFlag}</secure>

but this prevents the container from starting.

Is there anything that can be done about this?
Do you know if this can be set as a Docker variable or something like that?

Many thanks,
Elena

[juanluisrp]

In the official GeoNetwork Docker image you can try to use -Djetty.session.secureCookies=true in the JAVA_OPTS environment variable:

https://github.com/geonetwork/docker-geonetwork/blob/164b0e4605dd3cbfca5c9be411ebc75ec2aa9267/4.2.9/docker-compose.yml#L77-L84

will be:

      JAVA_OPTS: >
        -Djetty.session.secureCookies=true
        -Dorg.eclipse.jetty.annotations.AnnotationParser.LEVEL=OFF
        -Djava.security.egd=file:/dev/./urandom -Djava.awt.headless=true
        -Xms512M -Xss512M -Xmx2G -XX:+UseConcMarkSweepGC
        -Dgeonetwork.resources.dir=/catalogue-data/resources
        -Dgeonetwork.data.dir=/catalogue-data
        -Dgeonetwork.codeList.dir=/var/lib/jetty/webapps/geonetwork/WEB-INF/data/config/codelist
        -Dgeonetwork.schema.dir=/var/lib/jetty/webapps/geonetwork/WEB-INF/data/config/schema_plugins

If you try it please let me know if it works.

[alexarobu]

@juanluisrp Thank you so much for your suggestion 🙏
I tried and it doesn't seem to make a difference

[alexarobu]

I also tried this so it matches the other variables above it for Jetty:

But it also made no difference 😦