1 Reply Latest reply on Sep 18, 2009 11:37 AM by fpetitit

HttpOnly session cookie flag for JBoss servlets

jmanico Mar 27, 2008 11:30 PM

Hello. Are there any plans to support the HttpOnly cookie flag in the session cookie (JSESSIONID) of JBoss? Tomcat is on route to support this security flag.

As a side note, the HttpOnly cookie flag blocks JavaScript from accessing cookie data. It is supported by IE6+ FireFox 2.0.0.5+ Opera 9.5+ and is still be developed on Safari. It's not a standard per-say but is very widely used in practice. The Java Servet 3.0 JSR is also supporting this flag. The security benefits are very significant. There is never, ever a need to access the JSESSIONID cookie via JavaScript. By adding the HttpOnly cookie flag to JBoss servlet session cookies, a large class of Cross Site Scripting and Session Hijacking attacks will be prevented.

Best Regards,
Jim Manico
Aspect Security

1. Re: HttpOnly session cookie flag for JBoss servlets

fpetitit Sep 18, 2009 11:37 AM (in response to jmanico)

Hello,
do you have informations about the availability of this option in JBoss?

It has been implemented in Tomcat 5.5.28 and 6.0.19.

Thanks
Actions