Win a copy of Mesos in Action this week in the Cloud/Virtualizaton forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Problem in using HTTPOnly attribute

 
Dushyant Agarwal
Ranch Hand
Posts: 75
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,
I am trying to provide solution for a security vulnerability in an application, using servlet 2.4, struts 1.3, JBoss- 4.2.0. For this I require to put cookie type as HttpOnly. I have found that
1. Starting from servlet v. 3.0 Cookie interface has HttpOnly attribute.
2. Starting from Tomcat 6.0 we can provide a useHttpOnly context param in context.xml.

I also found that for older versions the workaround is to rewrite JSESSIONID value using and setting it as a custom header.


I tried setting useHttpOnly in <JBOSS_HOME>/server/default/deploy/jboss-web.deployer/context.xml. But I can still access the cookie with client side script.

1. Since I am using servlet 2.4 I may have to rebuild the header to put httpSessionOnly.
2. I am using JBoss 4.2.0 - that has embedded Tomcat v. < 5.0, it might not recognize the httpSessionOnly attrbute.



Please help me finding a solution.

Thanks,
Dushyant

 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic