1 Reply Latest reply on Sep 18, 2009 11:37 AM by François Petitit

    HttpOnly session cookie flag for JBoss servlets

    Jim Manico Newbie

      Hello. Are there any plans to support the HttpOnly cookie flag in the session cookie (JSESSIONID) of JBoss? Tomcat is on route to support this security flag.

      As a side note, the HttpOnly cookie flag blocks JavaScript from accessing cookie data. It is supported by IE6+ FireFox 2.0.0.5+ Opera 9.5+ and is still be developed on Safari. It's not a standard per-say but is very widely used in practice. The Java Servet 3.0 JSR is also supporting this flag. The security benefits are very significant. There is never, ever a need to access the JSESSIONID cookie via JavaScript. By adding the HttpOnly cookie flag to JBoss servlet session cookies, a large class of Cross Site Scripting and Session Hijacking attacks will be prevented.

      Best Regards,
      Jim Manico
      Aspect Security