3 Replies Latest reply: Apr 7, 2011 11:40 AM by gigi sheh RSS

    set session cookie secure and httpOnly?

    gigi sheh Newbie

      Hello, JBoss gurus,

       

      We use JBoss 5.0.1 GA for web applications. I'm wondering what I can do to set session cookies going out to be secure and httpOnly. As a newbie in JBoss, I'd truly appreciate any helps/hints you may have.

       

      gigi

        • 1. set session cookie secure and httpOnly?
          gigi sheh Newbie

          I tried to add a context.xml file that looks like

           

          <Context cookies="true" crossContext="false">

             <Manager pathname="" />

             <InstanceListener>org.jboss.web.tomcat.security.RunAsListener</InstanceListener>

             <SessionCookie secure="true" useHttpOnly="true" >

          </Context>

           

          it does not work either. I've also tried

           

          <SessionCookie secure="true" httpOnly="true" >

           

          Neither did that work. Can anyone please give some helps? Thanks a lot in advance

          • 2. set session cookie secure and httpOnly?
            gigi sheh Newbie

            Can someone please shed some light onto this? So desparate here :-(

            • 3. set session cookie secure and httpOnly?
              gigi sheh Newbie

              Ahh! I finally got it work by adding the following line to context.xml file

               

                 <SessionCookie secure="true" httpOnly="true" />

               

              Somehow it was not deployed at the beginning

               

              I basically copied JBoss's standard context.xml over and added that line. As I'm not very familiar with setting up context.xml, I have a 1 minor question:

               

              the default of crossContext is set to true in JBoss's standard context.xml, is there a reason for that?

               

              Thanks a lot for your helping out there