Setting 'HttpOnly' and 'Secure' in web.xml

Question

I need to have the 'HttpOnly' and 'Secure' attributes set to 'true' to prevent the CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute and CWE-402: Transmission of Private Resources into a New Sphere flaws from showing in the Veracode report.

After doing some online searching, it seems that the best thing to do is to simply set the attributes in the project's web.xml file as follows:

<session-config>
    <cookie-config>
        <http-only>true</http-only>
        <secure>true</secure>
    </cookie-config>
 </session-config>

However, I get an error message on the opening tag saying that "The content of element type "session-config" must match "(session-timeout)?".

I'm not sure what that means exactly. I'm guessing it has something to do with the order of elements but I don't really know how to fix it.

Any thoughts?

Thanks!

Answer 1

The support for secure and http-only attribute is available only on http-servlet specification 3. Check that version attribute in your web.xml is "3.0".

<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:schemaLocation="http://java.sun.com/xml/ns/javaee 
            http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
     version="3.0">