Missing HttpOnly Attribute in Session Cookie
Question
in sign.jsp , I have written the following so that, if a user is already logged in then immediately he would be forwarded to his home page
<%
try{
HttpSession session1 = request.getSession(false);
if(session1.getAttribute("authenticated")!=null &&
session1.getAttribute("authenticated").equals(true))
{
response.sendRedirect("userhome.jsp");
}
else{
// users have to login here
}
%>
Security scan is telling that Missing HttpOnly Attribute in Session Cookie in sign.jsp .
If i will set: <Context useHttpOnly="true"> ... </Context>
in : C:\\Program Files\\Apache Software Foundation\\Apache Tomcat 6.0.20\\conf
then will my problem be solved or what else i have to do? Any suggestion is much appreciated
3 answers
solution1
4 ACCPTED 2012-03-23 08:18:30
If you using Servlet 3.0. Than In Servlet 3.0 (Java EE 6) introduced a standard way to configure HttpOnly attribute for the session cookie, applying the following configuration in web.xml
<session-config>
<cookie-config>
<http-only>true</http-only>
</cookie-config>
<session-config>
solution2
1 2012-05-02 20:51:11
Another approach is
Cookie cookie = new Cookie(cookieName, cookieValue);
cookie.setHttpOnly(true);
httpResponse.addCookie(cookie);
solution3
0 2017-11-16 05:42:55
Read this article https://access.redhat.com/solutions/338313
I think you have to set
<Context cookies="true" crossContext="true">
<SessionCookie secure="true" httpOnly="true" />
attributes in "$PROFILE\\deploy\\jbossweb.sar\\context.xml"
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.