Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Secure and HttpOnly flags for session cookie Websphere 7

In Servlet 3.0 complaint application servers I can set the HttpOnly and secure flags for the session cookie (JSESSIONID) by adding the following to the web.xml:

<session-config>
  <cookie-config>
    <secure>true</secure>
    <http-only>true</http-only>
  </cookie-config>
</session-config>

However, the application I'm working on is to be deployed in Websphere 7, which is Servlet 2.5 complaint and it fails to start if I add the above to the web.xml

Is there any other declarative way or setting in Websphere 7 configuration to turn on the HttpOnly and secure flags for the session cookie?

If not, what would be the best approach to accomplish that programmatically?

like image 779
mmutilva Avatar asked Feb 08 '12 12:02

mmutilva


People also ask

Can a cookie be HttpOnly and secure?

HttpOnly and secure flags can be used to make the cookies more secure. When a secure flag is used, then the cookie will only be sent over HTTPS, which is HTTP over SSL/TLS.

Should session cookies be HttpOnly?

For example, cookies that persist in server-side sessions don't need to be available to JavaScript and should have the HttpOnly attribute. This precaution helps mitigate cross-site scripting (XSS) attacks.


2 Answers

I think in WebSphere 7 you may have to delve into the administrative console. As ever the WebSphere documentation seems poor but seems to suggest setting the com.ibm.ws.security.addHttpOnlyAttributeToCookies property:

Both the Secure flag and the HTTPOnly flag are enabled by setting the WebSphere Application Server property: com.ibm.ws.security.addHttpOnlyAttributeToCookies.

I found this, which I hope is applicable to WAS7. Can you try please (I only have WAS 8 at the moment on my system):

JSESSIONID cookie:

Secure Flag:

The Secure flag can be set within the WebSphere Application Server administrative interface by selecting AppServer->[Server Name]->Web Container Settings->Session Management. Check the checkbox for “Restrict cookies to HTTPS Sessions”.

HTTPOnly Flag:

The HTTPOnly attribute cannot currently be set on this cookie. This is registered on the IBM site as APAR PK98436. The fix for this APAR is currently targeted for inclusion in Fix Packs 6.1.0.31 and 7.0.0.9, which are not yet available. With this APAR in place, the HTTPOnly flag can be set on the JSESSIONID cookie by way of the property name: com.ibm.ws.webcontainer.httpOnlyCookies. Refer to the following technote for instructions on enabling WebContainer custom properties.

The com.ibm.ws.webcontainer.httpOnlyCookies property is documented on the WAS 7 help site.

like image 184
planetjones Avatar answered Oct 21 '22 09:10

planetjones


To set Secure flag to JSESSIONID cookie (same for WebSphere 7.x and 8.x):

  • log in log in WebSphere admin console
  • Navigate to Server > Server types > WebSphere application servers
  • Click on server name (default is server1)
  • Click on link Web Container settings > Web Container
  • Click on link Session Management
  • Click on link Enable Cookies. This bit a litle bit confusing, you have to click on text not on the check box
  • select option (check box) Restrict cookies to HTTPS sessions
  • Save changes

To set HttpOnly flag in WebSphere 8.x to JSESSIONID cookie

  • log in log in WebSphere admin console
  • Navigate to Server > Server types > WebSphere application servers
  • Click on server name (default is server1)
  • Click on link Web Container settings > Web Container
  • Click on link Session Management
  • Click on link Enable Cookies. This bit a litle bit confusing, you have to click on text not on the check box
  • select option (check box) Set session cookies to HTTPOnly to help prevent cross-site scripting attacks
  • Save changes

To set HttpOnly flag in WebSphere 7.x to JSESSIONID cookie

  • log in log in WebSphere admin console
  • Navigate to Server > Server types > WebSphere application servers
  • Click on server name (default is server1)
  • Click on link Web Container settings > Web Container
  • Click on link Custom Proprties
  • Click on button New
  • Enter name: com.ibm.ws.webcontainer.httpOnlyCookies value:* (HttpOnly will be set on all cookies not only JSESSIONID)
  • Click on OK button
  • Save changes
like image 39
zoran Avatar answered Oct 21 '22 08:10

zoran