Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

how to set httponly and session cookie for java web application

I am working on an XSS (cross site scripting) issue. My application runs on an Oracle Weblogic portal. We use Servlet version 2.5.

I have added the below 3 lines of code in the filter for setting httponly and secure cookies, and it is working fine.

String sessionid = req.getSession().getId();
res.setHeader("Set-Cookie", "JSESSIONID=" +  sessionid + ";HttpOnly");
res.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; secure");

The issue is when I logout and login immediately in the same browser. I am able to login, but after that, on the jsp pages I am getting a session timeout issue. We use weblogic related apis. The request.getuserprinical() api is returning null.. guess it is setting to null.

Please share any ideas.

If there are any other ways to set httponly or secure flag, please help.

like image 617
Kiran Avatar asked Mar 19 '13 21:03

Kiran


People also ask

How do you set HttpOnly cookies?

Set HttpOnly cookie in PHPini_set("session. cookie_httponly", True); This is the most common way to set cookies in PHP, empty variables will hold their default value.

How can I enable the HttpOnly and/or secure flags on my session cookies with EAP 7?

In JBoss 7 EAP, in order for HttpOnly and Secure settings for session cookies to take effect, they must be set in the jboss-all. xml file in the META-INF directory of the EAR file. To avoid the need to recreate this file each time you regenerate an EAR file, Oracle Commerce can automatically copy an existing jboss-all.

Are session cookies HttpOnly?

If a browser does not support HttpOnly and a website attempts to set an HttpOnly cookie, the HttpOnly flag will be ignored by the browser, thus creating a traditional, script accessible cookie. As a result, the cookie (typically your session cookie) becomes vulnerable to theft or modification by malicious script.


1 Answers

Depending on the specifics of your web container, modifying container-managed session cookies within an app can cause the app server to toss the existing session and create a new one. I've observed this on Tomcat but it may be similar for Weblogic.

If you're using Servlets 3.0, you can actually instruct the app server to ensure that all session cookies are HttpOnly and Secure with the following fragments:

<session-config>
  <cookie-config>
    <secure>true</secure>
    <http-only>true</http-only>
  </cookie-config>
</session-config>

This is a better approach than manually hacking on the cookies with a filter.

FYI: I've also written a Java library that injects a number of security related response headers in Servlet based apps.

like image 120
Jason Nichols Avatar answered Sep 28 '22 00:09

Jason Nichols