jsfcookiesprimefacesbluemix-app-scan
IBM AppScan - Missing Secure Attribute in Encrypted Session (SSL) Cookie
We have got an Missing Secure Attribute in Encrypted Session (SSL) Cookie issue for primefaces.download based on IBM App Scan DSAT test.
Primefaces version is 7.0
Sample Example : https://www.primefaces.org/showcase/ui/data/dataexporter/basic.xhtml
primefaces.download -- this cookies is set when we download a file
We already have session-config in the web.xml , but when i check in chrome the primefaces.download cookie is not set as http-only and secured .
Is there anything else required to be done when running it on JBOSS 7.2?
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID" version="3.0">
..........
<session-config>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
Updated : Issue raised https://github.com/primefaces/primefaces/issues/6040
Solution
A Pull Request to fix the issue in 9.0-SNAPSHOT has been submitted.
- Jakarta Faces 4 / TomEE 10 - Nested composites, same attribute name causes StackoverflowError
- Scrollable Datatable causing splitterpanels to lock and cannot resize
- JSF-generated HTML element ID is changing, how to set it to a fixed element ID?
- java.lang.ClassNotFoundException: jakarta.enterprise.inject.spi.el.ELAwareBeanManager
- JSF or PrimeFaces component for Boolean / how to use Boolean with p:triStateCheckbox
- Keep current tab when updating tabview
- Managed bean not resolved in EL expression after Jakarta migration
- How to disallow invalid LocalDate in f:convertDateTime?
- how to reset primefaces wizard's steps?
- The button/link/text component needs to have a Form in its ancestry. Please add <h:form>
- Primefaces calendar not firing dateSelect
- How do I insert non breaking space character &nbsp; in a JSF page?
- Unable to export the dataTable when one of the column contains only unicode number
- PrimeFaces 13 - Primeicons not displayed when running on Tomcat 10.1.x (Jakarta)
- java.lang.ClassCastException: javax.faces.model.ListDataModel cannot be cast to org.primefaces.model.LazyDataModel
- In file uploading via h:inputFile,How to solve/troubleshoot ,null being of part variable inside upload method?
- How to find out client ID of component for ajax update/render? Cannot find component with expression "foo" referenced from "bar"
- p:remoteCommand inside iterating component like p:dataTable only works for last row
- Understanding PrimeFaces process/update and JSF f:ajax execute/render attributes
- Change page of PrimeFaces dataTable with pagination from commandLink
- Panel not rendering on command button click in primefaces
- How to follow xhtml to Bean class in eclipse?
- How to override h:selectOneRadio renderer? Where is the renderer class in jsf-impl?
- onkeypress allowing only allowed domains while writing email address
- Internationalization in JSF/Faces, when to use message-bundle, resource-bundle and ValidationMessages?
- How make commandButton/commandLink not fully refresh page? How to use f:ajax?
- How to include JSF input field label in Bean Validation error message?
- After upgrading PrimeFaces 6.2 to 12 the <p:messages autoUpdate="true"> does not show up anymore
- Quarkus uber-jar not running with primefaces
- XPages - validator not throwing a message to the screen