0 Replies Latest reply on Mar 22, 2008 3:54 PM by Jim Manico

    HttpOnly cookie flag

    Jim Manico Newbie

      Hello. Are there any plans to support the HttpOnly cookie flag in the session cookie (JSESSIONID) of JBoss? Tomcat is on route to support this security flag.

      As a side note, the HttpOnly cookie flag blocks JavaScript from accessing cookie data. It is supported by IE6+ FireFox 2.0.0.5+ Opera 9.5+ and is still be developed on Safari. It's not a standard per-say but is very widely used in practice. The Java Server JSR is also considering this flag. The security benefits are very significant. There is never, ever a need to access the JSESSIONID cookie via JavaScript. But adding HttpOnly support to JBoss a large class of Cross Site Scripting and Session Hijacking attacked will be prevented.

      Thank you!!