Google Site Search

Google
 

Thursday, October 22, 2009

HTTPOnly Cookies in Tomcat/JBoss

There are concerns that client side scripts should not be able to access the cookies sent by the server. Toward this, the HTTPOnly cookie was invented by Microsoft Internet Explorer and has been reasonably adopted by other browsers and the public.

Read more about it at the OWASP site: http://www.owasp.org/index.php/HTTPOnly

Tomcat has a flag on the Context element which you can either place it in WEB-INF/context.xml (JBoss) or META-INF/context.xml (Tomcat) to utilize this feature.

Reference: http://tomcat.apache.org/tomcat-6.0-doc/config/context.html

So look for examples of context.xml by google search and then add the "useHttpOnly=true" to the context element.

2 comments:

Harald said...

Hi Anil,
in which version of JBoss application server is the useHttpOnly-Featuer supported?

Thanks,
Harald

Anil Saldanha said...

Harald,
I will have to look at the tomcat version part of the JBAS stack. It should definitely be there in JBAS6.