3 Replies Latest reply on Aug 28, 2017 10:47 AM by D P

    Wildfly 9 httponly issue

    Ashish Nayal Newbie

      I have EAR project in which to resolve http only issue I have done the following configuration in standalone.xml


      But when I am writing javascript:alert(document.cookie) in browser url after login it is giving me an alert showing JSESSIONID Value



      <subsystem xmlns="urn:jboss:domain:undertow:2.0">

                  <buffer-cache name="default"/>

                  <server name="default-server">

                      <http-listener name="default" socket-binding="http" redirect-socket="https"/>

                      <host name="default-host" alias="localhost">

                          <location name="/" handler="welcome-content"/>

                          <filter-ref name="server-header"/>

                          <filter-ref name="x-powered-by-header"/>



                  <servlet-container name="default">

                  <session-cookie http-only="true" secure="true"/>





                      <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>



                      <response-header name="server-header" header-name="Server" header-value="WildFly/9"/>

                      <response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>



        • 1. Re: Wildfly 9 httponly issue
          Ashish Nayal Newbie

          Plz someone from wildfly team help me on this issue as I my application security audit process is pending before of this issue

          • 2. Re: Wildfly 9 httponly issue
            Ashish Nayal Newbie

            I have resolve the issue you have to do the following configuration in jboss-all.xml


            <shared-session-config xmlns="urn:jboss:shared-session-config:1.0">






                               <secure>false</secure>  //Make sure this is set to false only





            • 3. Re: Wildfly 9 httponly issue
              D P Apprentice

              I tried to Add the 'Secure' attribute to all sensitive cookies and for that I have added <session-cookie http-only="true" secure="false"/> under <servlet-container name="default"> in standalone.xml. After restarting the Wildfly 10 app server when I logged into the application I am getting "Session Error" popup.


              How to prevent this popup and add the 'Secure' attribute to all sensitive cookies.