Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

httpOnly Session Cookie + Servlet 3.0 (e.g. Glassfish v3)

By default, Glassfish v3 doesn't set the httpOnly flag on session cookies (when created as usual with request.getSession()).

I know, there is a method javax.servlet.SessionCookieConfig.setHttpOnly(), but I'm not sure, if that's the best way to do it, and if yes, where the best place would be to put that line.

BTW, of course it can't be done in the servlet itself (e.g. in init()):

java.lang.IllegalStateException: PWC1426: 
Unable to configure httpOnly session tracking cookie property for 
servlet context /..., because this servlet context has already been initialized

Generally, I would prefer to use a configuration option e.g. in web.xml.

like image 869
Chris Lercher Avatar asked Jun 13 '10 18:06

Chris Lercher


2 Answers

This is supported via a Servlet 3.0 web.xml (see web-common_3_0.xsd):

<web-app>
  <session-config>
    <cookie-config>
      <!--             
        Specifies whether any session tracking cookies created 
        by this web application will be marked as HttpOnly
      -->
      <http-only>true</http-only>
    </cookie-config>
  </session-config>
</web-app>
like image 130
Pascal Thivent Avatar answered Oct 19 '22 21:10

Pascal Thivent


You can also add <secure>true</secure> to boost the security.

<session-config>
    <cookie-config>
        <http-only>true</http-only> 
        <secure>true</secure>
    </cookie-config>
</session-config>
like image 33
Amir Md Amiruzzaman Avatar answered Oct 19 '22 21:10

Amir Md Amiruzzaman