Add the 'HttpOnly' attribute to all session cookies

java security http session
50,218

Solution 1

The HttpOnly attribute is set on Cookies, and these are (usually) passed from the server to the client, not from the client to the server. HttpOnly is not an attribute you can set on a form or form parameter. Here the client is the browser and the server is the Java EE server running your Java application.

Cookies are usually created by a server, passed to the browser and then passed back. Now it is possible to create and manipulate Cookies using JavaScript which can be helpful but can also be a security hole. So an HttpOnly Cookie is only accessible by the server, or in other words it is not accessible from client side JavaScript which protects your site from some forms of XSS attacks. So the Browser will store and return an HttpOnly Cookie but it will not alter it or allow you to create it on the client; an HttpOnly Cookie must be created on the server.

If you're using JSP it's likely your server is automatically creating a Cookie to manage sessions for you; this is the cookie on which you need to set the HttpOnly attribute. The method to set HttpOnly on your SESSIONID Cooke will be container specific.

Solution 2

were you able to set the "HttpOnly" attribute in session cookies?

i found this code to do this on https://www.owasp.org/index.php/HttpOnly

<session-config>
 <cookie-config>
  <http-only>true</http-only>
 </cookie-config>
<session-config>
Share:
50,218
Tom
Author by

Tom

Updated on November 16, 2020

Comments

  • Tom
    Tom over 3 years

    I got this following error when my website was being audited. I have developed my website using jsp, servlets, java classes.

    Missing HttpOnly Attribute in Session Cookie

    Security Risks

    It is possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user

    Causes:

    The web application sets session cookies without the HttpOnly attribute

    Remediation Tasks:

    Add the 'HttpOnly' attribute to all session cookies

    I am passing java security token as hidden parameter while clicking on submit button. How can i add this HttpOnly attribute in that token?

  • Tom
    Tom about 12 years
    okay but what is this server and client? can you please elaborate little more
  • David Webb
    David Webb about 12 years
    @tom - have expanded the answer a little more. It's probably worth following the links in the answer to get more detail.
  • Tom
    Tom about 12 years
    yes thanks well just one more doubt: if i will do any modification inside tomcat then will i have to make any modification in client side too for httpOnly attribute?
  • David Webb
    David Webb about 12 years
    No, the HttpOnly option is controlled solely by the Server.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Java secure session
How to properly invalidate JSP session?
HttpServletRequest.getRemoteUser() vs HttpServletRequest.getUserPrincipal().getName()
Difference between request.getSession() and request.getSession(true)
How to stop hack/DOS attack on web API
What is the exact uses of REALM term in security?
Programmatically keep HTTP Session Alive without browser
HTTP SSL Proxy with Java Apache HttpClient
How to perform a HTTP delete? All I am given is the URL
Setting a timeout value when retrieving data via HttpGet object