Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Setting 'HttpOnly' and 'Secure' in web.xml

I need to have the 'HttpOnly' and 'Secure' attributes set to 'true' to prevent the CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute and CWE-402: Transmission of Private Resources into a New Sphere flaws from showing in the Veracode report.

After doing some online searching, it seems that the best thing to do is to simply set the attributes in the project's web.xml file as follows:

<session-config>
    <cookie-config>
        <http-only>true</http-only>
        <secure>true</secure>
    </cookie-config>
 </session-config>

However, I get an error message on the opening tag saying that "The content of element type "session-config" must match "(session-timeout)?".

I'm not sure what that means exactly. I'm guessing it has something to do with the order of elements but I don't really know how to fix it.

Any thoughts?

Thanks!

like image 354
EH Khiari Avatar asked Jun 14 '17 19:06

EH Khiari


1 Answers

The support for secure and http-only attribute is available only on http-servlet specification 3. Check that version attribute in your web.xml is "3.0".

<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:schemaLocation="http://java.sun.com/xml/ns/javaee 
            http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
     version="3.0">
like image 188
Alessandro Proscia Avatar answered Oct 10 '22 22:10

Alessandro Proscia