5 Replies Latest reply on Dec 12, 2016 9:22 AM by naresh1

Add HttpOnly and Secure attributes to JSESSIONID cookie

kalyancm Jan 13, 2013 9:44 AM

Hi,

We are using JBoss 4.3 CP 09 server for our applications. SSL is not provided by the server but by an external component. I would like the 'HttpOnly' and 'secure' attributes to be added to the JSESSION ID cookie generated by one application. For this server version, the only way that I seem to find is to use a Servlet Filter and add the JSESSIONID as below.

public void doFilter(final ServletRequest req, final ServletResponse res, final FilterChain filterChain) throws IOException, ServletException {

final HttpServletResponse response = (HttpServletResponse) res;

final HttpServletRequest request = (HttpServletRequest) req;

if (response.containsHeader("SET-COOKIE")) { // *******

response.setHeader("SET-COOKIE", "JSESSIONID=" + request.getSession().getId() + "; Path=" + request.getContextPath()

+ "; HttpOnly" + (request.isSecure() ? SECURE_FLAG : ""));

}

filterChain.doFilter(req, res);

}

Is there a better approach than doing it this way? I would prefer to let the server handle the cookie.

Also response.containsHeader("SET-COOKIE") always seem to return false.

Please provide your suggestions.

Thanks

Kalyan Matha

1. Re: Add HttpOnly and Secure attributes to JSESSIONID cookie

jfclere Jan 14, 2013 3:23 AM (in response to kalyancm)

may be the external component could add the header for you, what are you using?
Actions
2. Re: Add HttpOnly and Secure attributes to JSESSIONID cookie

kalyancm Jan 14, 2013 3:21 PM (in response to jfclere)

Thanks for responding to my question. I will try to find some info about the external component that provides SSL to our application.Your suggestion was one approach that we were considering for resolving this issue. Before taking that approach, I would like to know if the programming approach as mentioned above is incorrect.
Actions
3. Re: Add HttpOnly and Secure attributes to JSESSIONID cookie

jfclere Jan 15, 2013 2:48 AM (in response to kalyancm)

the HttpOnly is discussed in https://community.jboss.org/message/761627
for the isSecure() the trick is to configure the connector so that AS thinks it is secured secure="true" in the connector configuration.
1 of 1 people found this helpful
Actions
4. Re: Add HttpOnly and Secure attributes to JSESSIONID cookie

kalyancm Jan 17, 2013 3:22 PM (in response to jfclere)

Thanks for your pointers. I will try the suggestions in the referenced thread.
Actions
5. Re: Add HttpOnly and Secure attributes to JSESSIONID cookie

naresh1 Dec 12, 2016 9:22 AM (in response to kalyancm)

Hi kalyan,

Did you resolve your issue, Got same thing can you help me out?

Thanks,
Naresh kallamadi
Actions

Go to original post