JasperReports Server uses cookies in several ways:
• | userTimezone and userLocale to store user settings |
• | Repository tree information (all cookies have the prefix tree*) |
• | Other UI settings such as lastFolderUri and inputControlsPanelWidth |
The JSESSIONID cookie is managed by the application server, so its security setting depends on your app server configuration.
Jaspersoft does not set the secure flag on these cookies because we don't want to force you to use secure connections. If you want all cookies to be secure, you must customize the source files that create the cookies. This requires the source code distribution and recompiling and building the server app, as described in the JasperReports Server Source Build Guide.
To customize JasperReports Server so that cookies are sent only via secure connections:
1. | For the time zone and locale cookies, open the following file to edit: |
jasperserver-war-jarsrcmainjavacomjaspersoftjasperserverwarUserPreferencesFilter.java
2. | Locate the following code in 2 locations, one for each cookie, and add the middle line to both: |
For more information, see the JavaDoc for the setSecure method on the javax.servlet.http.Cookie class.
3. | For the repository tree cookies, open the following file to edit: |
jasperserver-warsrcmainwebappscriptstree.nanotree.js
4. | Locate the following line in the setCookie function: |
var secure = (argc > 5) ? argv[5] : false;
Replace the entire line with:
var secure = true;
5. | For the UI settings cookies, open the following file to edit: |
jasperserver-warsrcmainwebappscriptsutils.common.js
6. | Locate the following line: |
JSCookie.addVar('cookieTemplate', new Template('#{name}=#{value}; expires={expires}; path=/;'));
Modify the line as follows:
JSCookie.addVar('cookieTemplate', new Template('#{name}=#{value}; expires={expires}; path=/; secure;'));
7. | Recompile, rebuild, and redeploy the JasperReports Server application. |
This only acts on the cookies; providing a secure connection is up to the client application, usually by configuring and establishing an HTTPS connection, as described in Using SSL in the Web Server. If no secure connection is established, the cookies with the secure flag will not be sent and user settings won’t take effect.
Recommended Comments
There are no comments to display.