Saturday, 28 January 2012

Setting HttpOnly in JBoss



HttpOnly is an additional flag included in a Set-Cookie HTTP response header. Using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie (if the browser supports it).

The example below shows the syntax used within the HTTP response header:

Set-Cookie: <name>=<value>[; <Max-Age>=<age>]
[; expires=<date>][; domain=<domain_name>]
[; path=<some_path>][; secure][; HttpOnly]

If the HttpOnly flag (optional) is included in the HTTP response header, the cookie cannot be accessed through client side script (again if the browser supports this flag). As a result, even if a cross-site scripting (XSS) flaw exists, and a user accidentally accesses a link that exploits this flaw, the browser (primarily Internet Explorer) will not reveal the cookie to a third party.

More details on HttpOnly can be found here


Until JBoss 5 the application server doesn't give any configurations so as to set HttpOnly. However we can do it programatically. Below are the ways by which HttpOnly flag can be set in different versions of Jboss servers.

JBoss 4

Rewrite JSESSIONID value using and setting it as a custom header

String sessionid = request.getSession().getId();
response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; HttpOnly");


JBoss 5 & 6

Set useHttpOnly=True in context.xml. The context.xml can be found in jboss/server/<myserver>/deploy/jbossweb.sar/context.xml

Add the following line to context.xml

<SessionCookie secure="true" httpOnly="true" />

JBoss 7
Add the http-only tag to session config in web.xml

<session-config>
    <cookie-config>
        <http-only>true</http-only>
        <secure>true</secure>
    </cookie-config>
    <tracking-mode>COOKIE</tracking-mode>
</session-config>
Posted by at

3 comments:

  1. anirban4 July 2012 at 23:26

    Hi Syam,

    I'm also facing few problems when I'm trying to renew the JSESSIONID and setting the HttpOnly attribute to the JSESSIONID cookie.I'm using JBoss 4.2.2
    1. The container provided JSESSIONID is not getting renewed even after logout(session invalidate call).To renew the JSESSIONID I had to set the emptySessionPath="false" in server.xml.Is there any other options to renew the contaner provided JSESSIONID?
    2. I'm able to set the HttpOnly and secure attributes to a programmatically created cookie but when setting this attributes to the container generated JSESSIONID cookie, it’s not reflecting the changes.
    For example: My contaner generated cookie is: JSESSIONID;path=/;value=123
    I'm unable to setup HttpOnly and secure attributes to this cookie but creating a new cookie with JSESSIONID name and a different 'path' I'm able set those attributes.
    response.setHeader("SET-COOKIE", "JSESSIONID=" + id+ "; path=/abc; HttpOnly ;secure");

    But my requirement is to make the container generated JSESSIONID cookie to be HttpOnly and secure.

    I'm waiting for your response.

    ReplyDelete
    Replies
    1. Anonymous27 April 2018 at 12:23

      modify the main web.xml to add to the header on initialization, below is an example.


      CommonHeadersFilter
      org.jboss.web.tomcat.filters.ReplyHeaderFilter

      X-Powered-By
      Servlet 2.4; JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=200807181417)/JBossWeb-2.0;


      Cache-Control
      no-cache, no-store, must-revalidate


      Pragma
      no-cache


      Set-Cookie
      Secure; HttpOnly

      Delete
  2. Anonymous27 April 2018 at 12:24

    https://stackoverflow.com/questions/29146465/how-to-configure-jboss-4-0-to-make-session-cookie-httponly-and-secure look at my answer here

    ReplyDelete

Subscribe to: Post Comments (Atom)