Setting httponly in JSESSIONID cookie (Java EE 5)
Asked Answered
A

2

13

I'm trying to set the httponly flag on the JSESSIONID cookie. I'm working in Java EE 5, however, and can't use setHttpOnly(). First I tried to create my own JSESSIONID cookie from within the servlet's doPost() by using response.setHeader().

When that didn't work, I tried response.addHeader(). That didn't work either. Then, I learned that the servlet handled converting the session into a JSESSIONID cookie and inserting it into the http header so if I want to play with that cookie, I'll have to write a filter. I wrote a filter and played with setHeader()/addHeader() there, again to no avail.

Then, I learned that there's some flush/close action going on in the response object before it gets to the filter so if I want to manipulate the data, I need to extend HttpServletResponseWrapper and pass that to filterChain.doFilter(). This is done but I'm still not getting results. Clearly I'm doing something wrong but I don't know what.

I'm not sure if this is at all relevant to the question at hand but no html document is being returned by the servlet to the browser. All that's really happening is that some objects are being populated and returned to a JSP document. I've sort of assumed that The Session object is turned into a JSESSIONID cookie and wrapped -- along with the objects added to the request -- in an http header before being sent to the browser.

I'd be happy to post some code but I want to rule out the possibility that my difficulties stem from a misunderstanding of the theory first.

Ajmer answered 7/6, 2010 at 19:29 Comment(1)
Added some code formatting because otherwise it was a bit of an unapproachable Wall Of Text. Might still consider posting sample code of what you've tried.Grodno
I
11

Since the JSESSIONID cookie is managed by the servletcontainer, this setting is servletcontainer specific. It's unclear which one you're using, so here's an Apache Tomcat 6.0 targeted answer so that you know in which direction you'll have to look for your servletcontainer: you need to set the useHttpOnly attribute of the webapplication's <Context> element to true.

<Context useHttpOnly="true">
    ...
</Context>

Also see this Tomcat documentation about the <Context> element.

Isabellisabella answered 7/6, 2010 at 20:0 Comment(3)
The more I explore this topic, the more I realize how utterly ignorant I am about nearly everything. I'm using JBOSS 4.0 but, from what I've ready, JBOSS is an EJB container (?). I'm not sure what servletcontainer I'm using. I'll have to post again when I've found out what my servletcontainer is.Ajmer
JBoss is an application server. It uses Tomcat as servlet container and adds some EJB and other fancy JavaEE features on top of that. The EJB story is irrelevant here. This is a HTTP/Servlet issue. By the way, I am not sure if the old JBoss 4.0 supports this attribute... At least, the instructions are the same as for Tomcat.Isabellisabella
It looks like not even JBoss 4.3 supports this, you'll need 5.0: issues.jboss.org/browse/JBPAPP-3088Persinger
T
5

You can use this with Java EE 5:

For Java Enterprise Edition versions prior to Java EE 6 a common workaround is to overwrite the SET-COOKIE http response header with a session cookie value that explicitly appends the HttpOnly flag:

String sessionid = request.getSession().getId();
// be careful overwriting: JSESSIONID may have been set with other flags
response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; HttpOnly");

Source : https://www.owasp.org/index.php/HttpOnly

I test it into a filter

Trespass answered 21/6, 2013 at 11:24 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.