-
1. Re: How to Add the 'HttpOnly' attribute to all session cookies in web applications running in jboss-4.0.3SP1
you need to patch the tomcat used by jboss-4.0.3SP1...
The code corresponding to the feature is not in the tomcat version used by jboss See https://community.jboss.org/wiki/VersionOfTomcatInJBossAS
See java/org/apache/tomcat/util/http/ServerCookie.java of a current tomcat and add it to yours, recompile and replace the tomcat-util.jar in your AS installation.
Or upgrade to more recent version ;-)
-
2. Re: How to Add the 'HttpOnly' attribute to all session cookies in web applications running in jboss-4.0.3SP1
Thank you for the update.
This is our understanding: we need to take a latest ServerCookie.java file from latest tomcat-util.jar file and need to compile and get the class file and need to place the classfile into the exsiting
our tomcat-util.jar file?
Or we can directly replace the latest tomcat-util.jar file into our jboss-4.0.3SP1?
Could you please guide us in detail on this how to proceed?
Thanks & Regards
Srinivasa
-
3. Re: How to Add the 'HttpOnly' attribute to all session cookies in web applications running in jboss-4.0.3SP1
you need to add:
buf.append("; HttpOnly"); in connectors/util/java/org/apache/tomcat/util/http/ServerCookie.java (near the end of appendCookieValue()) in the source of your tomcat
then rebuid it and replace the tomcat-util.jar file in your jboss-4.0.3SP1.
Something like:
+++
buf.append("; HttpOnly");
headerBuf.append(buf);
}+++