Granny's Programming Pearls
"inside of every large program is a small program struggling to get out"
The moose likes Struts and the fly likes Setting HttpOnly and Secure attributes in Struts2 Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Frameworks » Struts
Bookmark "Setting HttpOnly and Secure attributes in Struts2" Watch "Setting HttpOnly and Secure attributes in Struts2" New topic

Setting HttpOnly and Secure attributes in Struts2

Bill Wied

Joined: Mar 11, 2009
Posts: 9
Two of the OWASP security recommendations for web applications involve setting the HttpOnly and secure attributes within the session cookie, however the following link below from OWASP indicates that it is not possible to set these flags programatically in Struts2.

Are there other recommend ways of doing this?

One recommended solution that was suggested was to use a Servlet filter to rewrite the cookie and adding these attributes. Has anyone taken this approach?

I am operating using Java 1.5, Websphere 7.0 and Struts Servlet container 2.4.

Thanks in advance for your help.

Joe Ess

Joined: Oct 29, 2001
Posts: 8836

Interesting paper. I'm not a security expert, but I'm curious why, on page 14, the author proposes to "bring back the validate() method" when that method is available in com.opensymphony.xwork2 ActionSupport for providing programmatic validation.

"blabbing like a narcissistic fool with a superiority complex" ~ N.A.
[How To Ask Questions On JavaRanch]
I agree. Here's the link:
subject: Setting HttpOnly and Secure attributes in Struts2
Similar Threads
migration to Struts2
OWASP Guidelines for App Sec Architect
Need to set HTTPONLY value to make cookies secure!!!
Struts2 cookies
Non-secure Cookie Used