File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Servlets and the fly likes Problem in using HTTPOnly attribute Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Make it so: Java DB Connections & Transactions this week in the JDBC forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "Problem in using HTTPOnly attribute" Watch "Problem in using HTTPOnly attribute" New topic

Problem in using HTTPOnly attribute

Dushyant Agarwal
Ranch Hand

Joined: Oct 14, 2007
Posts: 75
I am trying to provide solution for a security vulnerability in an application, using servlet 2.4, struts 1.3, JBoss- 4.2.0. For this I require to put cookie type as HttpOnly. I have found that
1. Starting from servlet v. 3.0 Cookie interface has HttpOnly attribute.
2. Starting from Tomcat 6.0 we can provide a useHttpOnly context param in context.xml.

I also found that for older versions the workaround is to rewrite JSESSIONID value using and setting it as a custom header.

I tried setting useHttpOnly in <JBOSS_HOME>/server/default/deploy/jboss-web.deployer/context.xml. But I can still access the cookie with client side script.

1. Since I am using servlet 2.4 I may have to rebuild the header to put httpSessionOnly.
2. I am using JBoss 4.2.0 - that has embedded Tomcat v. < 5.0, it might not recognize the httpSessionOnly attrbute.

Please help me finding a solution.


I agree. Here's the link:
subject: Problem in using HTTPOnly attribute
jQuery in Action, 3rd edition