Setting HttpOnly Flag for Cookies

Foros de discusión

Kowbathullah Gnaniyar, modificado hace 8 años.

Setting HttpOnly Flag for Cookies

Liferay Master Mensajes: 722 Fecha de incorporación: 19/12/07 Mensajes recientes

we are implementing HttpOnly cookies in our portal and I am trying for different approaches

1. I have tried overwriting the SET-COOKIE http response header with a session cookie value to explicitly append the HttpOnly flag by setting in response header:

response.setHeader("SET-COOKIE", cookie.getName()+"=" + sessionid+ "; Path=" + contextPath + "; HttpOnly" + secure );

2. Trying with ESAPI#Java_EE library by adding cookie in SecurityWrapperResponse

securityWrapperResponse.addCookie(cookie);

Which is the best way of handling this security and why? Also when i tested the above implementation, JSESSIONID cookie is not set HttpOnly flag when context path is empty. And it works if context path has some valid path. Is this a correct way of testing the above implementation or i am doing something wrong? Please advise.

Thanks in advance.

Ionut Negoita, modificado hace 7 años.

RE: Setting HttpOnly Flag for Cookies

New Member Mensajes: 10 Fecha de incorporación: 27/08/12 Mensajes recientes

Hi,

I know it's been a while since you asked, but in case anybody else wants to know how to handle HttpOnly flag for Liferay cookies and how to add this flag to JSESSIONID I've made an extensive description here http://www.coding-dude.com/wp/java/liferay/solving-owasp-security-vulnerabilities-in-liferay-6-0-x/