Forcing cookies sent over HTTPS only (setting secure flag)

Cookies set by PAS can be forced to include the secure flag. By default PAS tries to guess if the flag should be set or not. Often when running PAS behind a reverse proxy terminating SSL/TLS and the communication between the reverse proxy and PAS is using basic HTTP this behaviour will result in a less secure set up (the secure flag is not set). 

How to set

In the start up script for Linux or in the vmoptions file for windows add the startup parameter :

-Dphenixid.auth.cookie.force.secure


A reboot is required for changes to take effect.



When setting this, direct http connections will not work as expected meaning if there are sections of the system running on plain http without a SSL/TLS proxy in front. That part will not work.

HTTP API is not affected since cookies are not used in this scenario.