/elmr/session does not return secure cookies!

[ddriddle]

Elmr does not set the Secure or HttpOnly flags for the cookie it creates as can be seen here:

$ curl --cookie '__edu.illinois.techservices.elmr.serviceUrl=/foo/bar' -sD - http://127.0.0.1/auth/elmr/session
HTTP/1.1 302 302
Server: nginx/1.14.2
Date: Fri, 05 Apr 2019 19:05:37 GMT
Content-Length: 0
Connection: keep-alive
Set-Cookie: __edu.illinois.techservices.elmr.servlets.sessionKey=MTIzNA==; Path=/
Location: http://127.0.0.1/foo/bar

Secure should be set to prevent the cookie from being sent in the clean:

When a cookie has the Secure attribute, the user agent will include the cookie in an HTTP request only if the request is transmitted over a secure channel (typically HTTP over Transport Layer Security (TLS) [RFC2818]).
https://tools.ietf.org/html/rfc6265#section-4.1.2.5

HttpOnly should be set to prevent Javascript attacks:

The HttpOnly attribute limits the scope of the cookie to HTTP requests. In particular, the attribute instructs the user agent to omit the cookie when providing access to cookies via "non-HTTP" APIs (such as a web browser API that exposes cookies to scripts).
https://tools.ietf.org/html/rfc6265#section-4.1.2.6

[argherna]

Are you running with edu.illinois.techservices.elmr.servlets.DisableSecureCookies set to true? If so, that could be the culprit. By default, not setting this will enable secure cookies.