3 Replies Latest reply on Aug 28, 2017 10:47 AM by jboss234

    Wildfly 9 httponly issue

    nayal.ashish
    nayal.ashish Feb 1, 2017 6:19 AM

      I have EAR project in which to resolve http only issue I have done the following configuration in standalone.xml

       

      But when I am writing javascript:alert(document.cookie) in browser url after login it is giving me an alert showing JSESSIONID Value

       

      standalone.xml

      <subsystem xmlns="urn:jboss:domain:undertow:2.0">

                  <buffer-cache name="default"/>

                  <server name="default-server">

                      <http-listener name="default" socket-binding="http" redirect-socket="https"/>

                      <host name="default-host" alias="localhost">

                          <location name="/" handler="welcome-content"/>

                          <filter-ref name="server-header"/>

                          <filter-ref name="x-powered-by-header"/>

                      </host>

                  </server>

                  <servlet-container name="default">

                  <session-cookie http-only="true" secure="true"/>

                      <jsp-config/>  

                      <websockets/>

                  </servlet-container>

                  <handlers>

                      <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>

                  </handlers>

                  <filters>

                      <response-header name="server-header" header-name="Server" header-value="WildFly/9"/>

                      <response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>

                  </filters>

              </subsystem>

        • 1. Re: Wildfly 9 httponly issue
          nayal.ashish
          nayal.ashish Feb 2, 2017 12:47 AM (in response to nayal.ashish)

          Plz someone from wildfly team help me on this issue as I my application security audit process is pending before of this issue

            • Actions
          • 2. Re: Wildfly 9 httponly issue
            nayal.ashish
            nayal.ashish Feb 2, 2017 5:41 AM (in response to nayal.ashish)

            I have resolve the issue you have to do the following configuration in jboss-all.xml

             

            <shared-session-config xmlns="urn:jboss:shared-session-config:1.0">

                    <session-config>       

                    <session-timeout>20</session-timeout>

                        <cookie-config>

                            <path>/</path>

                            <http-only>true</http-only>

                               <secure>false</secure>  //Make sure this is set to false only

                        </cookie-config>           

                         <tracking-mode>COOKIE</tracking-mode>   

                    </session-config>

                </shared-session-config>

              • Actions
            • 3. Re: Wildfly 9 httponly issue
              jboss234
              jboss234 Aug 28, 2017 10:47 AM (in response to nayal.ashish)

              I tried to Add the 'Secure' attribute to all sensitive cookies and for that I have added <session-cookie http-only="true" secure="false"/> under <servlet-container name="default"> in standalone.xml. After restarting the Wildfly 10 app server when I logged into the application I am getting "Session Error" popup.

               

              How to prevent this popup and add the 'Secure' attribute to all sensitive cookies.

                • Actions