Win a copy of Programmer's Guide to Java SE 8 Oracle Certified Associate (OCA) this week in the OCAJP forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

How to make cookies marked as HttpOnly in Servlet 2.5

 
Sat Nar
Ranch Hand
Posts: 83
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello All,

Our application uses Servlet 2.5. We need to set Session Cookies as Http-Only. Servlet 3.0 has provision to allow cookies to be marked as HttpOnly. I am not sure how to have the same in Servlet 2.5. Any help on this is greatly appreciated.
 
Pete Nelson
Ranch Hand
Posts: 147
Debian Eclipse IDE Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You might need to explain a bit more about what you are trying to accomplish.

From the Servlet 3.0 Javadoc for javax.servlet.http.Cookie:
HttpOnly cookies are not supposed to be exposed to client-side scripting code, and may therefore help mitigate certain kinds of cross-site scripting attacks.

So, are you looking for "Cookies" that are accessible by the server, and not the client? If so, use javax.servlet.http.HttpSession and store your server-side only attributes in the Session. None of those attributes are ever exposed to the client.
 
Pete Nelson
Ranch Hand
Posts: 147
Debian Eclipse IDE Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Another comment - it looks like some app servers (like Tomcat 6.0) support HttpOnly within the context.xml. Another option is to write the Cookie from scratch (rather than using the HttpCookie object), sending the HTTP headers to create a HttpOnly Cookie.

This page has details of setting it up with Tomcat 6.0, and doing it by hand - https://www.owasp.org/index.php/HttpOnly

But, consider - is this truly safer than storing data server-side via the HttpSession?
 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Pete, I think you misunderstand HttpOnly cookies. Those are cookies like all other ones, but they're not readable by JavaScript in the browser (via document.cookies, or something like that, if memory serves). They're thus not amenable to some kinds of attacks, but still can serve purposes that sessions (which generally time out after not too long a while) do not.
 
Pete Nelson
Ranch Hand
Posts: 147
Debian Eclipse IDE Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ulf Dittmer wrote:Pete, I think you misunderstand HttpOnly cookies. Those are cookies like all other ones, but they're not readable by JavaScript in the browser


I thought https://www.owasp.org/index.php/HttpOnly actually clarified quite a bit. I think assuming they can't be read by javascript is not a good security assumption to make. Any data you send to the client, you really have no expectation that they will not abuse it.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic