Setting the Secure Flag on Cookies

Setting the Secure Flag on Cookies

JasperReports Server uses cookies in several ways:

userTimezone and userLocale to store user settings
Repository tree information (all cookies have the prefix tree*)
Other UI settings such as lastFolderUri and inputControlsPanelWidth

The JSESSIONID cookie is managed by the application server, so its security setting depends on your app server configuration.

Jaspersoft doesn't set the secure flag on these cookies because we don't want to force you to use secure connections. If you want all cookies to be secure, you must customize the source files that create the cookies. This requires the source code distribution and recompiling and building the server app, as described in the JasperReports Server Source Build Guide.

To customize JasperReports Server so cookies are sent only via secure connections:

1. For the time zone and locale cookies, open the following file to edit:


2. Locate the following code in 2 locations, one for each cookie, and add the middle line to both:
					cookie.setSecure(true); /* requires HTTPS */

For more information, see the JavaDoc for the setSecure method on the javax.servlet.http.Cookie class.

3. For the repository tree cookies, open the following file to edit:


4. Locate the following line in the setCookie function:

var secure = (argc > 5) ? argv[5] : false;

Replace the entire line with:

var secure = true;

5. For the UI settings cookies, open the following file to edit:


6. Locate the following line:

JSCookie.addVar('cookieTemplate', new Template('#{name}=#{value}; expires={expires}; path=/;'));

Modify the line as follows:

JSCookie.addVar('cookieTemplate', new Template('#{name}=#{value}; expires={expires}; path=/; secure;'));

7. Recompile, rebuild, and redeploy the JasperReports Server application.

This acts only on the cookies. Providing a secure connection is up to the client application, usually by configuring and establishing an HTTPS connection, as described in Enabling SSL in Tomcat. If no secure connection is established, the cookies with the secure flag will not be sent and user settings won’t take effect.