I have a web application which is running on a Tomcat 7 server. The cookie with session id has by default the flags HttpOnly
and Secure
. I want to disable this flags for the JSESSIONID
cookie. But it wont work. I have changed this in my web.xml
file but it is not working.
<session-config> <session-timeout>20160</session-timeout> <cookie-config> <http-only>false</http-only> <secure>false</secure> </cookie-config> </session-config>
I know this is a security risk because a attacker is able to steal the cookie and hijack the session if he has found a xss vuln.
The JSESSIONID
cookie should be send with HTTP and HTTPS and with AJAX requests.
Edit:
I have successfuly disabled the HttpOnly
flag by adding the following option to the conf/context.xml
file:
<Context useHttpOnly="false"> .... </Context>
Select Session Management > Enable cookies and then clear the Set session cookies to HTTPOnly to help prevent cross-site scripting attacks option.
Disabling HttpOnly 1) Select the option to turn HttpOnly off as shown below in Figure 2. 2) After turning HttpOnly off, select the “Read Cookie” button.
In short, the HttpOnly flag makes cookies inaccessible to client-side scripts, like JavaScript. Those cookies can only be edited by a server that processes the request. This is the main reason why CookieScript (which is a JavaScript-based solution) cannot control cookies with the HttpOnly flag.
I did not find a solution in Tomcat to this but if you're using apache as a reverse proxy you can do:
Header edit* Set-Cookie "(JSESSIONID=.*)(; Secure)" "$1"
with mod_headers
which will munge the header on the way back out to remove the secure flag. Not pretty but works if this is critical.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With