Setting HttpOnly Flag for Cookies

Fórum

Kowbathullah Gnaniyar, modificado 8 Anos atrás.

Setting HttpOnly Flag for Cookies

Liferay Master Postagens: 722 Data de Entrada: 19/12/07 Postagens Recentes

we are implementing HttpOnly cookies in our portal and I am trying for different approaches

1. I have tried overwriting the SET-COOKIE http response header with a session cookie value to explicitly append the HttpOnly flag by setting in response header:

response.setHeader("SET-COOKIE", cookie.getName()+"=" + sessionid+ "; Path=" + contextPath + "; HttpOnly" + secure );

2. Trying with ESAPI#Java_EE library by adding cookie in SecurityWrapperResponse

securityWrapperResponse.addCookie(cookie);

Which is the best way of handling this security and why? Also when i tested the above implementation, JSESSIONID cookie is not set HttpOnly flag when context path is empty. And it works if context path has some valid path. Is this a correct way of testing the above implementation or i am doing something wrong? Please advise.

Thanks in advance.

Ionut Negoita, modificado 7 Anos atrás.

RE: Setting HttpOnly Flag for Cookies

New Member Postagens: 10 Data de Entrada: 27/08/12 Postagens Recentes

Hi,

I know it's been a while since you asked, but in case anybody else wants to know how to handle HttpOnly flag for Liferay cookies and how to add this flag to JSESSIONID I've made an extensive description here http://www.coding-dude.com/wp/java/liferay/solving-owasp-security-vulnerabilities-in-liferay-6-0-x/