Missing HttpOnly attribute in Cookie session

in sign.jsp

, I wrote the following so that if a user is already registered, they will be immediately redirected to hishome page

<%
try{

HttpSession session1 = request.getSession(false);

if(session1.getAttribute("authenticated")!=null &&  
 session1.getAttribute("authenticated").equals(true))
{
response.sendRedirect("userhome.jsp");
}
else{

// users have to login here
}
%>

      

The security check reports that Missing HttpOnly Attribute in Session Cookie

the sign.jsp

.

If I install: <Context useHttpOnly="true"> ... </Context>

in: C:\Program Files\Apache Software Foundation\Apache Tomcat 6.0.20\conf

then my problem will be solved or what else should i do? Any suggestion is greatly appreciated

+3


source to share


3 answers


If you are using Servlet 3.0. than Servlet 3.0 (Java EE 6) introduced a standard way of setting HttpOnly attribute for session cookie by applying the following config in web.xml



<session-config>
 <cookie-config>
  <http-only>true</http-only>
 </cookie-config>
<session-config>

      

+4


source


Another approach is



Cookie cookie = new Cookie(cookieName, cookieValue);
cookie.setHttpOnly(true);
httpResponse.addCookie(cookie); 

      

+1


source


Read this article https://access.redhat.com/solutions/338313

I think you need to install

<Context cookies="true" crossContext="true">
  <SessionCookie secure="true" httpOnly="true" />

      

to "$ PROFILE \ deploy \ jbossweb.sar \ context.xml"

0


source







All Articles