I want to make my JSF application less vulnerable to session hijacking. So I have added the following code to the web.xml file.
<session-config>
<session-timeout>
60
</session-timeout>
<cookie-config>
<secure>true</secure>
<http-only>true</http-only>
<max-age>1800</max-age>
</cookie-config>
</session-config>
Then when I run the application, deployment fails in Payara Server with the following message.
Deployment descriptor file WEB-INF/web.xml in archive [chims-0.1]. cvc-complex-type.2.4.a: Invalid content was found starting with element '{"http://xmlns.jcp.org/xml/ns/javaee":http-only}'. One of '{"http://xmlns.jcp.org/xml/ns/javaee":max-age}' is expected.
I use version 4 of web.xml
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
version="4.0">
How can I get rid of this error?
http-only element comes before secure element in the sequence. See web-common_4_0.xsd for the cookie-configType type description.
Your config should be:
<session-config>
<session-timeout>
60
</session-timeout>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
<max-age>1800</max-age>
</cookie-config>
</session-config>