This week's giveaway is in the Java/Jakarta EE forum.
We're giving away four copies of Java EE 8 High Performance and have Romain Manni-Bucau on-line!
See welcome thread
Win a copy of Java EE 8 High Performance this week in the Java/Jakarta EE forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

Problem in using HTTPOnly attribute  RSS feed

Ranch Hand
Posts: 75
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am trying to provide solution for a security vulnerability in an application, using servlet 2.4, struts 1.3, JBoss- 4.2.0. For this I require to put cookie type as HttpOnly. I have found that
1. Starting from servlet v. 3.0 Cookie interface has HttpOnly attribute.
2. Starting from Tomcat 6.0 we can provide a useHttpOnly context param in context.xml.

I also found that for older versions the workaround is to rewrite JSESSIONID value using and setting it as a custom header.

I tried setting useHttpOnly in <JBOSS_HOME>/server/default/deploy/jboss-web.deployer/context.xml. But I can still access the cookie with client side script.

1. Since I am using servlet 2.4 I may have to rebuild the header to put httpSessionOnly.
2. I am using JBoss 4.2.0 - that has embedded Tomcat v. < 5.0, it might not recognize the httpSessionOnly attrbute.

Please help me finding a solution.


Consider Paul's rocket mass heater.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!