• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

useHttpOnly flag is not working in 7.0.23

 
Mehar Hassan Raza
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Our application went under security assessment and it was recommended by them to use HttpOnly and SSL encryption. Our tomcat version is 7.0.23

I googled about this and done the following settings recommended by most of the blogger

In conf/context.xml:



In conf/server.xml:



In WEB-INF/web.xml:



After doing these changes restarted the tomcat but there was no change. We are using burp tool to intercept browser sessions.

Regards
Aly
 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Welcome to JavaRanch.

After doing these changes restarted the tomcat but there was no change. We are using burp tool to intercept browser sessions.

What does this tool show you (before and after) that leads you to believe there was no change?

I'd have thought that the obvious test would be to try to get at those cookies via JavaScript.
 
Mehar Hassan Raza
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ulf Dittmer wrote:Welcome to JavaRanch.

After doing these changes restarted the tomcat but there was no change. We are using burp tool to intercept browser sessions.

What does this tool show you (before and after) that leads you to believe there was no change?

I'd have thought that the obvious test would be to try to get at those cookies via JavaScript.



Security Analyst is saying, Burp tool is showing following information about client/server session

Cookie: JSESSIONID=0862B1AF10065D0B7B80FF2111DB45E2; BrowserLocale="en "

and it should show following

Cookie: JSESSIONID=0862B1AF10065D0B7B80FF2111DB45E2; BrowserLocale="en ";httponly;secure;

Regards
Aly
 
Tim Holloway
Saloon Keeper
Posts: 18300
56
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You might want to read this: http://www.coderanch.com/forums/posts/preList/624164/2853715
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic