How do you configure HttpOnly cookies in tomcat / java webapps?
httpOnly is supported as of Tomcat 6.0.19 and Tomcat 5.5.28.
See the changelog entry for bug 44382.
The last comment for bug 44382 states, "this has been applied to 5.5.x and will be included in 5.5.28 onwards." However, it does not appear that 5.5.28 has been released.
The httpOnly functionality can be enabled for all webapps in conf/context.xml:
<Context useHttpOnly="true">
...
</Context>
My interpretation is that it also works for an individual context by setting it on the desired Context entry in conf/server.xml (in the same manner as above).
how to set httponly and session cookie for java web application
Depending on the specifics of your web container, modifying container-managed session cookies within an app can cause the app server to toss the existing session and create a new one. I've observed this on Tomcat but it may be similar for Weblogic.
If you're using Servlets 3.0, you can actually instruct the app server to ensure that all session cookies are HttpOnly and Secure with the following fragments:
<session-config>
<cookie-config>
<secure>true</secure>
<http-only>true</http-only>
</cookie-config>
</session-config>
This is a better approach than manually hacking on the cookies with a filter.
FYI: I've also written a Java library that injects a number of security related response headers in Servlet based apps.
Add HttpOnly flag to cookies on the fly with Apache?
Try the following mod_headers directive.
Header edit Set-Cookie ^(.*)$ $1;HttpOnly
how to secure jsessionid cookie in tomcat 7 using environment variables
Unfortunately (for your pursposes) this setting is per connector, and will affect all applications on that connector. There is no way to set this except at the connector level.
If you truly want to affect only some applications deployed to the server, you could ask the server admins to define a new connector (would require a different port) and just set that one, but that still requires admin intervention, which it sounds like you were trying to avoid.
Forcing Tomcat to use secure JSESSIONID cookie over http
In the end, contrary to my initial tests, web.xml solution worked for me on Tomcat 7.
E.g. I added this snippet to web.xml and it marks session cookie as secure even when reverse proxy contacts tomcat over plain HTTP.
<session-config>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
</session-config>
Related Topics
Key Existence Check in Hashmap
Determine Whether Daylight Savings Time (Dst) Is Active in Java for a Specified Date
Why Does Java App Crash in Gdb But Runs Normally in Real Life
Are Java Static Calls More or Less Expensive Than Non-Static Calls
How to Turn Off the Httpsession in Web.Xml
How Much Memory Does a String Use in Java 8
How to Declare a 2D String Arraylist
Howto Get Rid of <Mvc:Annotation-Driven />
How to Set Jvm Arguments in Intellij Idea
Print Full Call Stack on Printstacktrace()
How to Obtain the Start Time and End Time of a Day
Detect Enter Press in Jtextfield
Java Code for Getting Current Time
Using an Instance of an Object as a Key in Hashmap, and Then Access It with Exactly New Object
Are There Any Other Java Libraries for Bonjour/Zeroconf Apart from Jmdns
Mapping List in Yaml to List of Objects in Spring Boot