We Keep Coding

How to set secure flag true in spring mvc

I am not getting how to set flag secure to true in spring mvc.
I have tried the following four ways but I'm unable to get any solution:
1) Set http-only on cookies created in Spring MVC Controller
2) Forcing Tomcat to use secure JSESSIONID cookie over http
3) https://www.owasp.org/index.php/SecureFlag
4) https://www.whitehatsec.com/blog/session-cookie-httponly-flag-java/
I have tried this code also and placed in web.xml
<session-config>
<session-timeout>20</session-timeout>
<cookie-config>
<secure>true</secure>
</cookie-config>
</session-config>
but it's not working.
i have tried using java:
Cookie cookie = new Cookie("timestamp", new Long(new Date().getTime()).toString());
cookie.setSecure(true);
I placed above code in Interceptor
but this is also not working.
When I check in my browser/resources to check whether my flag is set to secure or not.
but none of the ways is working.
Please tell me where I am going wrong.

Is there some way to delete session info from address line when redirecting?

I am using Wildfly, Spring MVC in my project.
And after redirecting to another page of my project - to my browser address line appears some session info like in this image:
p.s. When i were using Tomcat - there was no such problems.
Is there an optimal way to stop auto-adding session information in the address bar?
Thanks.
Update:
In the normal situation, when i were redirecting in my past projects(for example) from page "index" to page "login" i saw something like this: "myapp.com/login"
But now i saw:"myapp.com/login;jsessionid=nGTE5tfW3hUZZOP1yQTF4Mrh3PRbNu8UyY8UBkmx.coderunit".
I didn't made some special options to my app server to cancel this session info additions. Maybe there are some special tool for it.

I solved this problem.
There is some spectial option for web.xml.
This is the default behavior of a servlet container. If the client doesn’t include a cookie in the first request, the container cannot tell whether the client supports cookies or not. Therefore the container embeds the session id in the URL.
You can disable this in your web.xml using the session-config element:
<session-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
It helped me. Good luck.

Enforce javax.faces.application.ViewExpiredException for testing application

I would like to test my webapplication (JSF 2.2) which has a custom Esxception Handler Factory.
Now i would like to know if everything works as expected when a javax.faces.application.ViewExpiredException is thrown. Is there any way, I can decrease the time to wait for getting this exception?
Throwing it programmatically is not an option, as I would like to have a nearly 100% productive test scenario.

As far as I'm concerned, it should be enough to force a Session expiration while you keep the JSF view state in the server side:
Setting STATE_SAVING_METHOD to client has however an additional functional advantage: it prevents ViewExpiredExceptions when the session has expired or when the client opens too many views.
So, being the javax.faces.STATE_SAVING_METHOD defaulted to server, you only need to specify the timeout you want for the Http Session:
<session-config>
<session-timeout>2</session-timeout>
</session-config>
As an alternative, you could choose to set your own limit of views. That depends on the concrete JSF implementation, Mojarra defaults to 16 and MyFaces to 20. For the first one, you could use com.sun.faces.numberOfLogicalViews to decrease the amount of views accepted simultaneously per client. As an example, setting it to 3 should fire the exception when you've got four tabs opened in the same browser (same Http Session).
See also:
What is STATE_SAVING_METHOD parameter in JSF 2.0
Session TimeOut in web.xml
How can I set the view timeout?

In Google Chrome you can use the Developer Tools to delete the session cookie.

Web.xml
you should have something like:
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
Where the timeout is in minutes, so set to 1

How do Tomcat's Cookies work?

I am confused about a couple things regarding cookies.
Why do I need to use/customize javax.servlet.http.Cookie class in order to implement a Remember me feature?
In my web.xml couldn't I just use?:
<session-config>
<session-timeout>10080</session-timeout>
</session-config>
Isn't it a security issue having cookies on a computer? Couldn't a cracker steal another user's cookie and hijack their session?

You don't - you just need to create an http session. Tomcat will either create a cookie or use a jsessionid URL parameter to maintain your session - this is part of the Java EE servlet specification. If you use a JSP then they automatically create http sessions. Various other things can cause sessions to be created also.
Yes, this is called session hijacking.

Java EE / Struts persistent sessions

I'm doing my first Java EE web application and I'm struggling with sessions.
in my web.xml file I put the following settings:
<session-config>
<session-timeout>30</session-timeout>
</session-config>
But if I close my browser which is not configured to delete cookies on close,
after reopen the session is over.
How can I have a "persistent" session ?

check if a cookie named Jsessionid is getting created during your first request. And close your browser open it again and check if that cookie is still there and value is same.
I think it will not be, and that is the reason your session expires.

When a cookie's expiration is set to "session", it will get deleted by the browser when the user closes the browser. This has nothinng to do with the web.xml session-timeout setting, which will force-close the Java EE session server-side if there are no requests by the user in the designated timespan.
Spring has "remember me" functionality:
http://static.springsource.org/spring-security/site/docs/3.0.x/reference/remember-me.html