Missing HttpOnly attribute in Cookie session
in sign.jsp
, I wrote the following so that if a user is already registered, they will be immediately redirected to hishome page
<%
try{
HttpSession session1 = request.getSession(false);
if(session1.getAttribute("authenticated")!=null &&
session1.getAttribute("authenticated").equals(true))
{
response.sendRedirect("userhome.jsp");
}
else{
// users have to login here
}
%>
The security check reports that Missing HttpOnly Attribute in Session Cookie
the sign.jsp
.
If I install: <Context useHttpOnly="true">
...
</Context>
in: C:\Program Files\Apache Software Foundation\Apache Tomcat 6.0.20\conf
then my problem will be solved or what else should i do? Any suggestion is greatly appreciated
source to share
Read this article https://access.redhat.com/solutions/338313
I think you need to install
<Context cookies="true" crossContext="true">
<SessionCookie secure="true" httpOnly="true" />
to "$ PROFILE \ deploy \ jbossweb.sar \ context.xml"
source to share