aspose file tools*
The moose likes Servlets and the fly likes How to mark container generated session cookie as secure without turning on SSL? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "How to mark container generated session cookie as secure without turning on SSL?" Watch "How to mark container generated session cookie as secure without turning on SSL?" New topic
Author

How to mark container generated session cookie as secure without turning on SSL?

Gaurav Lodha
Greenhorn

Joined: Jun 18, 2010
Posts: 5
My application is hosted by container behind a firewall, firewall is enforcing SSL but container is not aware of it. Security scan for application pointed that session cookies that are exchanged between client and server are not marked as secure. Can I mark cookies as secure with making any changes on container?

I have tried following options -

1. Implemented a filter and passed a response wrapper
Overridden addCookie, setHeader and addHeader methods in wrapper. None of the methods in the wrapper gets called when request.getSession is invoked.

These methods are getting called when I attempt to add cookie or set a header in the response, so it is clear that wrapper is working correct

2. Function call containsHeader("Set-Cookie") return false after invoking request.getSession()

3. Created a cookie (JSESSIONID, "sessionidvalue"), marked it as secure and added to response. Still the request coming from client has a JSESSIONID cookie which is not secure.

I am using OAS 10.1.2 as container. Is there any configuration file at server which can set cookies as secure?

Any suggestions are appreciated.

Thanks
Gaurav
William Brogden
Author and all-around good cowpoke
Rancher

Joined: Mar 22, 2000
Posts: 12778
    
    5
Security scan for application pointed that session cookies that are exchanged between client and server are not marked as secure.


My first question would be: What is conducting this "security scan"? What does it look at?

The number of things you can do to a session is very clearly explained in the JavaDocs and servlet API. Perhaps there is more flexibility in filtering the headers which set and read the "cookies."

Bill

Gaurav Lodha
Greenhorn

Joined: Jun 18, 2010
Posts: 5
By security scan I am referring to AppScan software by IBM - this software looks security holes in the system like caching, GET calls, cross script hacking, SQL injects, insecure cookies etc.
It monitors responses sent by the server and manipulates user requests to check if a hacker can get unauthorized access to the system.

I am able to filter setHeaders and addCookie calls which are called inside application code, but these filters are no good when I am trying to filter headers and cookies set by container.
More specifically, I am trying to manipulate session cookie before it is sent to user. Container somehow doesn't allow me to step in for session cookies.

I am using Servlet 2.4

Thanks
Gaurav
William Brogden
Author and all-around good cowpoke
Rancher

Joined: Mar 22, 2000
Posts: 12778
    
    5
Thank you for the complete explanation.

Are you required to use HttpSession as supplied by the container or can you invent your own implementation of the HttpSession interface?

How can you mark a cookie as secure to satisfy the scan?

How much control do you have over the client side?

With Amazon's S3 service you can have a public key/private key system to control access. Could your clients use that sort of thing?

Bill
Gaurav Lodha
Greenhorn

Joined: Jun 18, 2010
Posts: 5
Hi Bill,

Thanks for your response. I think it is not recommended to write implementation of container provided classes (HttpSession). I have used Sun provided HttpResponseWrapper class to take control of response.

Cookie class provides a function setSecure, which marks Cookies as secure so that they can be sent over HTTPS only.

Since the container generated cookie for session doesnt allow me to take its control and manipulate it, I cannot mark it as secure. I dont have much control of the client side. Also, introducing a third party (Amazon) will not go well with my customers.

I know cookies can be marked as secure by configuring container (in my case Oracle 10.1.2, so, getting certificate and marking application as secure) but I dont want to mark application as secure as it is already using SSL through firewall. Its just that container is not aware of it.

Gaurav
William Brogden
Author and all-around good cowpoke
Rancher

Joined: Mar 22, 2000
Posts: 12778
    
    5
As near as I can tell, the Cookie method setSecure sets a private boolean flag in the Cookie class which the container can look at with the getSecure method.

This flag prevents sending a marked cookie over a non-SSL connection so even if you could set it, the container would have to know that SSL is in use or it would not be sent.

It appears you will have to force the container to use SSL in order to satisfy the requirement.

I just mentioned the Amazon mechanism as an example of public key signing of a message, not suggesting you should use Amazon.

Bill
Gaurav Lodha
Greenhorn

Joined: Jun 18, 2010
Posts: 5
Thanks Bill.

Yes, it appears that I need to turn on SSL for the container.

I know that some containers like WebLogic, WAS allow configuring cookies from container (i.e. marking them as HttpOnly or Secure) but Oracle 10.1.2 doesn't provide any such mechanism.

I just mentioned the Amazon mechanism as an example of public key signing of a message, not suggesting you should use Amazon.

Sorry, I misunderstood; but even public key signing of message will not work for us.

 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: How to mark container generated session cookie as secure without turning on SSL?