3 Replies Latest reply on Jan 18, 2012 4:43 AM by jfclere

    How to set HttpOnly for session cookie ?

    shantanu.u

      I have a JSF web app deployed on JBoss 4.2.3 . I'd like to add HttpOnly on the session cookie and it looks like there's no configuration available for this version.

       

      I wrote a servlet filter to add "HttpOnly" which I add only the Response contains SET-COOKIE . This DOESN'T work on JBoss .

      reponse.containsHeader("SET-COOKIE") always returns false. I'm using a middle man proxy server and I can see that Set-Cookie response header is indeed getting generated.

      Anyone to throw light on this ?

       

      The filter works fine on Tomcat 6.x .

        • 1. Re: How to set HttpOnly for session cookie ?
          jfclere

          Hm code?

          • 2. Re: How to set HttpOnly for session cookie ?
            shantanu.u

            Servlet Filter code is here :

             

            public void doFilter(final ServletRequest req, final ServletResponse res, final FilterChain filterChain) throws IOException, ServletException {

                    final HttpServletResponse response = (HttpServletResponse) res;

                    final HttpServletRequest request = (HttpServletRequest) req;

                    if (response.containsHeader("SET-COOKIE")) {  // *******

                        response.setHeader("SET-COOKIE", "JSESSIONID=" + request.getSession().getId() + "; Path=" + request.getContextPath()

                                + "; HttpOnly" + (request.isSecure() ? SECURE_FLAG : ""));

                    }

                    filterChain.doFilter(req, res);

            }

             

            This works fine in tomcat 6.0. The line ******* just does not return true. I use Paros middle man proxy and I can see the "Set-Cookie" header getting generated (It's not case sensitive so that not the problem).

            • 3. Re: How to set HttpOnly for session cookie ?
              jfclere

              You should have logic after the filterChain.doFilter(req, res);