2 Replies Latest reply on Feb 23, 2012 6:23 AM by alrodgers

How to set HttpOnly and Secure flag in cookies - JBoss 5.1.0

m.wigge May 18, 2010 8:38 AM

Hello!

I have to set the HttpOnly and the Secure flag in cookies.

There are some manuals how to set HttpOnly:

"In Tomcat 6 flag useHttpOnly=True in context.xml to force this behaviour for applications, including Tomcat-based frameworks like JBoss."

The context.xml can be found in jboss/server/<myserver>/deploy/jbossweb.sar/context.xml

Now it looks like this:

<Context cookies="true" crossContext="true" useHttpOnly="true">
   <!-- Session persistence is disable by default. To enable for all web
   apps set the pathname to a non-empty value:
   <Manager pathname="SESSIONS.ser" />

   To enable session persistence for a single web app, add a
   WEB-INF/context.xml
   -->
   <Manager pathname="" />

<InstanceListener>org.jboss.web.tomcat.security.RunAsListener</InstanceListener>

</Context>

Regrettably, it doesn't work.

I wasn't able to find a manual how to set the Secure flag, either.

Can anyone help me?

Thanks in advance.

1. Re: How to set HttpOnly and Secure flag in cookies - JBoss 5.1.0

richard.qin May 18, 2010 8:55 PM (in response to m.wigge)

you need add a <SessionCookie> element to the context.xml of your webapp, for more info please reference the jira link https://jira.jboss.org/browse/JBPAPP-3088
Actions
2. Re: How to set HttpOnly and Secure flag in cookies - JBoss 5.1.0

alrodgers Feb 23, 2012 6:23 AM (in response to richard.qin)

There's more detail provided here: https://community.jboss.org/message/598558#598558.
Actions

Go to original post