3 Replies Latest reply: Apr 7, 2011 11:40 AM by gigi sheh RSS

set session cookie secure and httpOnly?

gigi sheh Newbie

Hello, JBoss gurus,

 

We use JBoss 5.0.1 GA for web applications. I'm wondering what I can do to set session cookies going out to be secure and httpOnly. As a newbie in JBoss, I'd truly appreciate any helps/hints you may have.

 

gigi

  • 1. set session cookie secure and httpOnly?
    gigi sheh Newbie

    I tried to add a context.xml file that looks like

     

    <Context cookies="true" crossContext="false">

       <Manager pathname="" />

       <InstanceListener>org.jboss.web.tomcat.security.RunAsListener</InstanceListener>

       <SessionCookie secure="true" useHttpOnly="true" >

    </Context>

     

    it does not work either. I've also tried

     

    <SessionCookie secure="true" httpOnly="true" >

     

    Neither did that work. Can anyone please give some helps? Thanks a lot in advance

  • 2. set session cookie secure and httpOnly?
    gigi sheh Newbie

    Can someone please shed some light onto this? So desparate here :-(

  • 3. set session cookie secure and httpOnly?
    gigi sheh Newbie

    Ahh! I finally got it work by adding the following line to context.xml file

     

       <SessionCookie secure="true" httpOnly="true" />

     

    Somehow it was not deployed at the beginning

     

    I basically copied JBoss's standard context.xml over and added that line. As I'm not very familiar with setting up context.xml, I have a 1 minor question:

     

    the default of crossContext is set to true in JBoss's standard context.xml, is there a reason for that?

     

    Thanks a lot for your helping out there