How to Configure Httponly Cookies in Tomcat/Java Webapps

How do you configure HttpOnly cookies in tomcat / java webapps?

httpOnly is supported as of Tomcat 6.0.19 and Tomcat 5.5.28.

See the changelog entry for bug 44382.

The last comment for bug 44382 states, "this has been applied to 5.5.x and will be included in 5.5.28 onwards." However, it does not appear that 5.5.28 has been released.

The httpOnly functionality can be enabled for all webapps in conf/context.xml:

<Context useHttpOnly="true">
...
</Context>

My interpretation is that it also works for an individual context by setting it on the desired Context entry in conf/server.xml (in the same manner as above).

how to set httponly and session cookie for java web application

Depending on the specifics of your web container, modifying container-managed session cookies within an app can cause the app server to toss the existing session and create a new one. I've observed this on Tomcat but it may be similar for Weblogic.

If you're using Servlets 3.0, you can actually instruct the app server to ensure that all session cookies are HttpOnly and Secure with the following fragments:

<session-config>
  <cookie-config>
    <secure>true</secure>
    <http-only>true</http-only>
  </cookie-config>
</session-config>

This is a better approach than manually hacking on the cookies with a filter.

FYI: I've also written a Java library that injects a number of security related response headers in Servlet based apps.

Add HttpOnly flag to cookies on the fly with Apache?

Try the following mod_headers directive.

Header edit Set-Cookie ^(.*)$ $1;HttpOnly

how to secure jsessionid cookie in tomcat 7 using environment variables

Unfortunately (for your pursposes) this setting is per connector, and will affect all applications on that connector. There is no way to set this except at the connector level.

If you truly want to affect only some applications deployed to the server, you could ask the server admins to define a new connector (would require a different port) and just set that one, but that still requires admin intervention, which it sounds like you were trying to avoid.

Forcing Tomcat to use secure JSESSIONID cookie over http

In the end, contrary to my initial tests, web.xml solution worked for me on Tomcat 7.

E.g. I added this snippet to web.xml and it marks session cookie as secure even when reverse proxy contacts tomcat over plain HTTP.

<session-config>
    <cookie-config>
        <http-only>true</http-only>
        <secure>true</secure>
    </cookie-config>
</session-config>

Related Topics

Key Existence Check in Hashmap

Determine Whether Daylight Savings Time (Dst) Is Active in Java for a Specified Date

Why Does Java App Crash in Gdb But Runs Normally in Real Life

Are Java Static Calls More or Less Expensive Than Non-Static Calls

How to Turn Off the Httpsession in Web.Xml

How Much Memory Does a String Use in Java 8

How to Declare a 2D String Arraylist

Howto Get Rid of <Mvc:Annotation-Driven />

How to Set Jvm Arguments in Intellij Idea

Print Full Call Stack on Printstacktrace()

How to Obtain the Start Time and End Time of a Day

Detect Enter Press in Jtextfield

Java Code for Getting Current Time

Using an Instance of an Object as a Key in Hashmap, and Then Access It with Exactly New Object

Are There Any Other Java Libraries for Bonjour/Zeroconf Apart from Jmdns

Mapping List in Yaml to List of Objects in Spring Boot

What Is an "Internal Address" in Java

Java's Virtual MAChine's Endianness


Leave a reply



Submit