This week's book giveaway is in the Kotlin forum.
We're giving away four copies of Kotlin for Android App Development and have Peter Sommerhoff on-line!
See this thread for details.
Win a copy of Kotlin for Android App Development this week in the Kotlin forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Devaka Cooray
  • Jeanne Boyarsky
  • Bear Bibeault
Sheriffs:
  • Junilu Lacar
  • Paul Clapham
  • Knute Snortum
Saloon Keepers:
  • Ron McLeod
  • Tim Moores
  • Stephan van Hulst
  • salvin francis
  • Carey Brown
Bartenders:
  • Tim Holloway
  • Frits Walraven
  • Ganesh Patekar

Setting HttpOnly and Secure attributes in Struts2  RSS feed

 
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Two of the OWASP security recommendations for web applications involve setting the HttpOnly and secure attributes within the session cookie, however the following link below from OWASP indicates that it is not possible to set these flags programatically in Struts2.

https://www.owasp.org/images/b/be/A_Gap_Analysis_of_Application_Security_in_Struts2.pdf

Are there other recommend ways of doing this?

One recommended solution that was suggested was to use a Servlet filter to rewrite the cookie and adding these attributes. Has anyone taken this approach?

I am operating using Java 1.5, Websphere 7.0 and Struts Servlet container 2.4.

Thanks in advance for your help.

Bill
 
Bartender
Posts: 9551
12
Linux Mac OS X Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Interesting paper. I'm not a security expert, but I'm curious why, on page 14, the author proposes to "bring back the validate() method" when that method is available in com.opensymphony.xwork2 ActionSupport for providing programmatic validation.
 
All of the world's problems can be solved in a garden - Geoff Lawton. Tiny ad:
RavenDB is an Open Source NoSQL Database that’s fully transactional (ACID) across your database
https://coderanch.com/t/704633/RavenDB-Open-Source-NoSQL-Database
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!