adding httponly and secure flag for set cookie in java web application
Setting the JSESSIONID
is the responsibility of whatever servlet container is running your web application. Remove the setHeader
from your filter, and configure your web application properly by adding the following to your web.xml
:
<session-config>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
</session-config>
keval
Updated on July 09, 2022Comments
-
keval almost 2 years
I want to add the
httponly
andsecure
flags for Cookies. To implement it, I am usingFilters
which are configured inweb.xml
.The code for adding flags is as below:
package com.crisil.dbconn; import java.io.IOException; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.struts2.ServletActionContext; import org.owasp.esapi.ESAPI; import org.owasp.esapi.filters.SecurityWrapperResponse; public class ClickjackFilter implements Filter { private String mode = "DENY"; /** * Add X-FRAME-OPTIONS response header to tell IE8 (and any other browsers who * decide to implement) not to display this content in a frame. For details, please * refer to http://blogs.msdn.com/sdl/archive/2009/02/05/clickjacking-defense-in-ie8.aspx. */ public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletResponse res = (HttpServletResponse)response; //HttpServletRequest req = (HttpServletRequest)request.getSession(); res.addHeader("X-FRAME-OPTIONS", mode ); res.addHeader("X-Content-Type-OPTIONS", "nosniff" ); res.addHeader("X-XSS-Protection", "1; mode=block" ); res.addHeader("Vary", "*" ); res.addHeader("Expires", "-1" ); res.addHeader("Pragma", "no-cache" ); res.addHeader("Cache-control", "no-cache, no-store,max-age=0, must-revalidate" ); String contextPath = ((HttpServletRequest) request).getContextPath()+"kevalcccc"; ((HttpServletResponse)ServletActionContext.getResponse()).setHeader("SET-COOKIE", "JSESSIONID=" + ((HttpServletRequest)request).getSession().getId() + ";Path="+contextPath+";Secure;HttpOnly"); // touch the session // ((HttpServletRequest) request).getSessison(); // System.out.println("zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz"); // overwriting the cookie with Secure attribute set // ((HttpServletResponse)response).setHeader("Set-Cookie", "JSESSIONID=" + ((HttpServletRequest)request).getSession().getId() + ";Path=/"); //////////// /* Cookie[] cookies = ((HttpServletRequest) request).getCookies(); if (cookies != null) for (int i = 0; i < cookies.length; i++) { cookies[i].setValue(""); cookies[i].setPath("/"); cookies[i].setMaxAge(0); cookies[i].setSecure(true); res.addCookie(cookies[i]); } */ ////////////// String sessionid = ((HttpServletRequest) request).getSession().getId(); ((HttpServletResponse) response).setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; HttpOnly"); chain.doFilter(request, response); } public void destroy() { } public void init(FilterConfig filterConfig) { String configMode = filterConfig.getInitParameter("mode"); if ( configMode != null ) { mode = configMode; } } }
The above code is adding
httponly
andsecure
flags for the JSESSIONID cookie. However, in the Response Header, I am getting two cookies. The second one does not havehttponly
andsecure
flags set. Please refer to the below output:JSESSIONID=1dbLWQ6WYBHJ93Tv7TfQ2fdLgjRp2pQBsVxQVZ2WBQkYwB60wg43!1248935162!1451244054765; HttpOnly;Secure
JSESSIONID=1dbLWQ6WYBHJ93Tv7TfQ2fdLgjRp2pQBsVxQVZ2WBQkYwB60wg43!1248935162; path=/"
Why are the
httponly
andsecure
flags not added for the second cookie?