3 Replies Latest reply on Apr 7, 2011 11:40 AM by gigi2

set session cookie secure and httpOnly?

gigi2 Apr 6, 2011 4:21 PM

Hello, JBoss gurus,

We use JBoss 5.0.1 GA for web applications. I'm wondering what I can do to set session cookies going out to be secure and httpOnly. As a newbie in JBoss, I'd truly appreciate any helps/hints you may have.

gigi

1. set session cookie secure and httpOnly?

gigi2 Apr 6, 2011 6:41 PM (in response to gigi2)

I tried to add a context.xml file that looks like

<Context cookies="true" crossContext="false">
   <Manager pathname="" />
   <InstanceListener>org.jboss.web.tomcat.security.RunAsListener</InstanceListener>
   <SessionCookie secure="true" useHttpOnly="true" >
</Context>

it does not work either. I've also tried

<SessionCookie secure="true" httpOnly="true" >

Neither did that work. Can anyone please give some helps? Thanks a lot in advance
Actions
2. set session cookie secure and httpOnly?

gigi2 Apr 7, 2011 10:35 AM (in response to gigi2)

Can someone please shed some light onto this? So desparate here :-(
Actions
3. set session cookie secure and httpOnly?

gigi2 Apr 7, 2011 11:40 AM (in response to gigi2)

Ahh! I finally got it work by adding the following line to context.xml file

<SessionCookie secure="true" httpOnly="true" />

Somehow it was not deployed at the beginning

I basically copied JBoss's standard context.xml over and added that line. As I'm not very familiar with setting up context.xml, I have a 1 minor question:

the default of crossContext is set to true in JBoss's standard context.xml, is there a reason for that?

Thanks a lot for your helping out there
Actions

Go to original post