This week's book giveaway is in the Servlets forum.
We're giving away four copies of Murach's Java Servlets and JSP and have Joel Murach on-line!
See this thread for details.
The moose likes Servlets and the fly likes Problem in using HTTPOnly attribute Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "Problem in using HTTPOnly attribute" Watch "Problem in using HTTPOnly attribute" New topic
Author

Problem in using HTTPOnly attribute

Dushyant Agarwal
Ranch Hand

Joined: Oct 14, 2007
Posts: 75
Hi,
I am trying to provide solution for a security vulnerability in an application, using servlet 2.4, struts 1.3, JBoss- 4.2.0. For this I require to put cookie type as HttpOnly. I have found that
1. Starting from servlet v. 3.0 Cookie interface has HttpOnly attribute.
2. Starting from Tomcat 6.0 we can provide a useHttpOnly context param in context.xml.

I also found that for older versions the workaround is to rewrite JSESSIONID value using and setting it as a custom header.


I tried setting useHttpOnly in <JBOSS_HOME>/server/default/deploy/jboss-web.deployer/context.xml. But I can still access the cookie with client side script.

1. Since I am using servlet 2.4 I may have to rebuild the header to put httpSessionOnly.
2. I am using JBoss 4.2.0 - that has embedded Tomcat v. < 5.0, it might not recognize the httpSessionOnly attrbute.



Please help me finding a solution.

Thanks,
Dushyant

 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Problem in using HTTPOnly attribute
 
Similar Threads
Session management ambiguity
Need to set HTTPONLY value to make cookies secure!!!
Struts2 cookies
Setting HttpOnly and Secure attributes in Struts2
after migrate from 4.0.1 to 4.2.0, cannot load web.xml in .war/WEB-INF