I am using Primefaces 11.0.0 and I have a download file component as follows :
<p:commandButton
onclick="PrimeFaces.monitorDownload(startDownload, stopDownload);"
ajax="false"
icon="fa fa-download">
<p:fileDownload value="#{downloadBean.getDownloadFile(document.id)}"/>
</p:commandButton>
My application is running on tomcat behind Nginx and we have a security recommendation to add HTTPOnly,Secure to our cookies so when configuring the HTTPOnly to cookies on Nginx the stopDownload is never get called.
My Nginx config is as follows:
location /myapp {
proxy_pass http://localhost:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_cookie_path /myapp "/myapp; HTTPOnly; Secure";
}
How to make stopDownload works with HTTPOnly ?
EDIT:
I was able to make it work by setting HTTPOnly to important session cookies as follows :
proxy_cookie_flags ~ Secure;
proxy_cookie_flags JSESSIONID HTTPOnly Secure;
Is this is the best practice or there's a better solution ?
That is correct.
Because Monitor Download needs to access the cookie with JavaScript to "stop the download" that cookie can not be HTTP Only which is why your code is breaking.
Your JSESSIONID cookie absolutely is correct to lock it down. In my opinion your configuration above is correct.