1 Reply Latest reply on Mar 22, 2008 8:08 PM by anil.saldhana

Adding the HttpOnly cookie flag to the core of JBoss

jmanico Mar 22, 2008 4:02 PM

Hello - are there any development plans to add the HttpOnly cookie flag to the JBoss session handing cookie? When the HttpOnly flag is added to the session cookie, it prevents JavaScript from reading cookie data. This protects the session cookie from Cross Site Scripting Session Hijack attacks. The HttpOnly cookie flag, while not a standard, is a widely used practice and is supported in IE 6+, FF 2.0.0.5+, Opera 9.01+, Konqueror, and is under development at Safari/Webkit.

I've tried to get the cookie1 standard amended, but the best most teams come up with is the old netscape docs on cookie1 - cookie2 never took off.

Any help adding this easy but rather significant fix to JBoss would be greatly appreciated. I am also leading the charge getting HttpOnly added to Tomcat http://manicode.blogspot.com/2008/03/httponly-support-for-apache-tomcat.html

1. Re: Adding the HttpOnly cookie flag to the core of JBoss

anil.saldhana Mar 22, 2008 8:08 PM (in response to jmanico)

I know about HttpCookie from my work here. Thanks anyway for the description. :)
http://www.w3.org/2006/WSC/drafts/rec/

This would be a change to Tomcat/JBossWeb codebase. Right? Nothing that JBoss needs to do here.
Actions