httponly


HttpOnly flag can't work on tomcat6.0.36


I have tried many ways to use the httponly flag to prevent XSS attack, but all failed.
Common way is to set use HttpOnly=true in context.xml
For test the result: in the java code set two test parameters in the cookie and in front jsp file include javascript to alert thedocument.cookie, the two test parameters set in java code are get and show in the alert.
Java code:
Cookie cookie = new Cookie("httponlytest","testsss");
response.addCookie(cookie);
Cookie cookie1 = new Cookie("testhttponly","successfu");
response.addCookie(cookie1);
javascript in jsp file:
alert("cookie------------"+document.cookie);
Is there anything i did wrong?
If you know how, it would be very helpful.
For others who do not know HttpOnly:
HttpOnly=true is a relative new attribute to make a cookie in the browser inaccessible to JavaScript.
So it is a browser-only security (XSS) technique to prevent accessing JSESSION_ID (hijacking java sessions) and such.
So you could always set the HttpOnly attribute in the Cookie itself. For the Java session ID it is now default I think, at least it should be.
<Context useHttpOnly="true">
This seems to work only for JSESSIONID. I just found this in SO.
Recently I was dealing with http-only=true cookies. During my research i found that Mozilla and Chrome do not allow java applets to use http-only=true cookies. I was getting issue in accessing the JsessionidSSO cookie. During my research on bugs of JAVA i found this bug
While in IE there is no issue in reading the cookies as IE has provided InternetGetCookieEx() API's to access http-only cookies and added the flag INTERNET_COOKIE_HTTPONLY available only IE8 and above versions. So the problem of accessing the http-only cookies still not solved as java proposed the fix in java 7 update 40 while the current version is java 7 update21.

Related Links

HttpOnly flag can't work on tomcat6.0.36

Categories

HOME
scikit-learn
developer-tools
jmx
jwplayer
oracle-apex-5
sitecore
solver
rom
webix
drop-down-menu
dkim
fhir
mel
distribution
why3
onedrive-api
renjin
do-while
coin3d
xmonad
replication
spring-async
cgbitmapcontext
comparator
xunit
google-api-client
perlbrew
opentk
ms-access-2003
fractions
firebase-analytics
kudu
memory-address
card.io
vue-chartjs
yowsup
salesforce-communities
sql-server-ce
openalpr
chef-solo
news
setup.py
kill
escpos
glm-math
bindingnavigator
drupal-theming
wc
robomongo
tf
static-cast
oracleclient
opengl-4
skin
otp
mathcad
reachability
http-status-code-401
kiosk
invoke-sqlcmd
false-sharing
piracy-prevention
concurrentmodification
microsoft-reporting
typemock
haskell-warp
adehabitathr
primitive-types
big-ip
alternate
android-framework
authlogic
koala
light
gd-graph
solace-mq
inputmismatchexception
ebay-lms
diem
video-codecs
fb.ui
apache-whirr
oracle-enterprise-linux
ilasm
convention
gobject-introspection
htdocs
uipagecontrol
dataform
presentation-layer
luajava
facebook-iframe
scrollbars
build-environment
strtod
sqlobject
entitykey
cardspace
netbeans6.1
idatareader

Resources

Encrypt Message