aspose file tools*
The moose likes Servlets and the fly likes How to make cookies marked as HttpOnly in Servlet 2.5 Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "How to make cookies marked as HttpOnly in Servlet 2.5" Watch "How to make cookies marked as HttpOnly in Servlet 2.5" New topic
Author

How to make cookies marked as HttpOnly in Servlet 2.5

Sat Nar
Ranch Hand

Joined: Oct 22, 2004
Posts: 83
Hello All,

Our application uses Servlet 2.5. We need to set Session Cookies as Http-Only. Servlet 3.0 has provision to allow cookies to be marked as HttpOnly. I am not sure how to have the same in Servlet 2.5. Any help on this is greatly appreciated.
Pete Nelson
Ranch Hand

Joined: Aug 30, 2010
Posts: 147

You might need to explain a bit more about what you are trying to accomplish.

From the Servlet 3.0 Javadoc for javax.servlet.http.Cookie:
HttpOnly cookies are not supposed to be exposed to client-side scripting code, and may therefore help mitigate certain kinds of cross-site scripting attacks.

So, are you looking for "Cookies" that are accessible by the server, and not the client? If so, use javax.servlet.http.HttpSession and store your server-side only attributes in the Session. None of those attributes are ever exposed to the client.


OCPJP
In preparing for battle I have always found that plans are useless, but planning is indispensable. -- Dwight D. Eisenhower
Pete Nelson
Ranch Hand

Joined: Aug 30, 2010
Posts: 147

Another comment - it looks like some app servers (like Tomcat 6.0) support HttpOnly within the context.xml. Another option is to write the Cookie from scratch (rather than using the HttpCookie object), sending the HTTP headers to create a HttpOnly Cookie.

This page has details of setting it up with Tomcat 6.0, and doing it by hand - https://www.owasp.org/index.php/HttpOnly

But, consider - is this truly safer than storing data server-side via the HttpSession?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42919
    
  68
Pete, I think you misunderstand HttpOnly cookies. Those are cookies like all other ones, but they're not readable by JavaScript in the browser (via document.cookies, or something like that, if memory serves). They're thus not amenable to some kinds of attacks, but still can serve purposes that sessions (which generally time out after not too long a while) do not.
Pete Nelson
Ranch Hand

Joined: Aug 30, 2010
Posts: 147

Ulf Dittmer wrote:Pete, I think you misunderstand HttpOnly cookies. Those are cookies like all other ones, but they're not readable by JavaScript in the browser


I thought https://www.owasp.org/index.php/HttpOnly actually clarified quite a bit. I think assuming they can't be read by javascript is not a good security assumption to make. Any data you send to the client, you really have no expectation that they will not abuse it.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: How to make cookies marked as HttpOnly in Servlet 2.5