Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Tomcat 7 sessionid cookie disable http-only and secure

I have a web application which is running on a Tomcat 7 server. The cookie with session id has by default the flags HttpOnly and Secure. I want to disable this flags for the JSESSIONID cookie. But it wont work. I have changed this in my web.xml file but it is not working.

<session-config>     <session-timeout>20160</session-timeout>     <cookie-config>         <http-only>false</http-only>         <secure>false</secure>     </cookie-config> </session-config> 

I know this is a security risk because a attacker is able to steal the cookie and hijack the session if he has found a xss vuln.

The JSESSIONID cookie should be send with HTTP and HTTPS and with AJAX requests.

Edit:

I have successfuly disabled the HttpOnly flag by adding the following option to the conf/context.xml file:

<Context useHttpOnly="false"> .... </Context> 
like image 945
JEE-Dev Avatar asked Aug 01 '13 10:08

JEE-Dev


People also ask

How do I turn off HTTP only?

Select Session Management > Enable cookies and then clear the Set session cookies to HTTPOnly to help prevent cross-site scripting attacks option.

How do I turn off HttpOnly cookies?

Disabling HttpOnly 1) Select the option to turn HttpOnly off as shown below in Figure 2. 2) After turning HttpOnly off, select the “Read Cookie” button.

Can HTTP only cookie be blocked?

In short, the HttpOnly flag makes cookies inaccessible to client-side scripts, like JavaScript. Those cookies can only be edited by a server that processes the request. This is the main reason why CookieScript (which is a JavaScript-based solution) cannot control cookies with the HttpOnly flag.


1 Answers

I did not find a solution in Tomcat to this but if you're using apache as a reverse proxy you can do:

Header edit* Set-Cookie "(JSESSIONID=.*)(; Secure)" "$1" 

with mod_headers which will munge the header on the way back out to remove the secure flag. Not pretty but works if this is critical.

like image 76
George Powell Avatar answered Sep 18 '22 20:09

George Powell