aspose file tools*
The moose likes Servlets and the fly likes Problem in using HTTPOnly attribute Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "Problem in using HTTPOnly attribute" Watch "Problem in using HTTPOnly attribute" New topic
Author

Problem in using HTTPOnly attribute

Dushyant Agarwal
Ranch Hand

Joined: Oct 14, 2007
Posts: 75
Hi,
I am trying to provide solution for a security vulnerability in an application, using servlet 2.4, struts 1.3, JBoss- 4.2.0. For this I require to put cookie type as HttpOnly. I have found that
1. Starting from servlet v. 3.0 Cookie interface has HttpOnly attribute.
2. Starting from Tomcat 6.0 we can provide a useHttpOnly context param in context.xml.

I also found that for older versions the workaround is to rewrite JSESSIONID value using and setting it as a custom header.


I tried setting useHttpOnly in <JBOSS_HOME>/server/default/deploy/jboss-web.deployer/context.xml. But I can still access the cookie with client side script.

1. Since I am using servlet 2.4 I may have to rebuild the header to put httpSessionOnly.
2. I am using JBoss 4.2.0 - that has embedded Tomcat v. < 5.0, it might not recognize the httpSessionOnly attrbute.



Please help me finding a solution.

Thanks,
Dushyant

 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Problem in using HTTPOnly attribute