Setting 'HttpOnly' and 'Secure' in web.xml

Asked 14/6, 2017 at 19:19 Answered 14/11, 2023 at 18:23

Solved security session cookies web.xml httponly

I need to have the 'HttpOnly' and 'Secure' attributes set to 'true' to prevent the CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute and CWE-402: Transmission of Private Resources into a New Sphere flaws from showing in the Veracode report.

After doing some online searching, it seems that the best thing to do is to simply set the attributes in the project's web.xml file as follows:

<session-config>
    <cookie-config>
        <http-only>true</http-only>
        <secure>true</secure>
    </cookie-config>
 </session-config>

However, I get an error message on the opening tag saying that "The content of element type "session-config" must match "(session-timeout)?".

I'm not sure what that means exactly. I'm guessing it has something to do with the order of elements but I don't really know how to fix it.

Any thoughts?

Thanks!

Tui answered 14/6, 2017 at 19:19 Comment(0)

The support for secure and http-only attribute is available only on http-servlet specification 3. Check that version attribute in your web.xml is "3.0".

<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:schemaLocation="http://java.sun.com/xml/ns/javaee 
            http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
     version="3.0">

Possess answered 10/7, 2017 at 20:40 Comment(0)

In version 4.0 use the cookie-config tag.

<session-config>
     <cookie-config>
         <http-only>true</http-only>
         <secure>true</secure>
     </cookie-config>
</session-config>

Scholar answered 14/11, 2023 at 18:23 Comment(0)

Recommended topics

Hot tags