1 2 Previous Next 22 Replies Latest reply on Sep 26, 2012 7:56 AM by Steffen Baum

    HttpOnly cookies in JBossWeb 2.0.1

    Steffen Baum Newbie

      Hi,

       

      according to https://community.jboss.org/wiki/VersionOfTomcatInJBossAS, JBoss 4.2.3 ships with JBossWeb 2.0.1 which implements the Servlet 2.4 specification. However, the HttpOnly attribute for cookies is supported in Servlet 3.0.

       

      To protect the JSESSIONID from being accessed by JavaScript, I need to modify the Set-Cookie header somehow.

       

      Is there any chance to upgrade JBossWeb within JBoss 4.2.3 to support this feature in a declarative manner via context.xml. Alternatively, could you point me to some tested standard-solutions like servlet filters or valves I may use to achieve the same? I'm not willing to reimplement RFC 6265 to safely parse and build Set-Cookie headers.

       

       

      Br,

      Steffen

        1 2 Previous Next