SESSION_COOKIE
The SESSION_COOKIE
element specifies that cookies the GAS uses to validate
the session are created with the secure flag.
Syntax
<SESSION_COOKIE Secure={
"TRUE"|
"FALSE"}
[
SameSite={
"STRICT|
LAX|
NONE"}
]
></SESSION_COOKIE>
The SESSION_COOKIE
element takes a mandatory Secure
attribute
and an optional SameSite
attribute.
Secure
valid values areTRUE
orFALSE
. When set toTRUE
, the cookie is restricted to secured connections (HTTPS) only. The default isFALSE
.- The
SameSite
attribute determines whether the cookie is restricted to a same-site context. Valid values are:Strict
: The cookie is sent only if the site for the cookie matches the site currently shown in the browser. The cookie is not sent if the user follows a link from another site.Lax
: The cookie can be sent with top-level navigations and with GET requests initiated by third-party websites.None
: The cookie is sent in all contexts. TheSecure
attribute must be set toTRUE
and the request must be in HTTPS format.
The default value is
strict
.
Child elements
There are no child elements.
Usage
The main goal of cookies is to keep a state, using session variables, between two runs of an
application by the same user. You use the SESSION_COOKIE
element to specify that
Genero session identifier cookies, including cookies created by Sticky Web services, are created
with the secure flag and the SameSite
attribute set to strict.
You may need to set the Secure
and SameSite
attributes.
Example secure session cookie
<INTERFACE_TO_CONNECTOR>
...
<HTTP>
<SESSION_COOKIE SameSite="None" Secure="TRUE" > </SESSION_COOKIE>
...
</HTTP>
</INTERFACE_TO_CONNECTOR>
Secure session cookie in web-xml
Note:
If using a Java Enterprise Edition (J2EE) server, the secure flag needs to be configured in the
web.xml file as shown in the example:
<web-app>
...
<session-config>
<cookie-config>
<secure>true</secure>
</cookie-config>
</session-config>
</web-app>
Parent elements
This element is a child of the HTTP (Common) element.