留言板
Setting HttpOnly Flag for Cookies
Kowbathullah Gnaniyar,修改在8 年前。
Setting HttpOnly Flag for Cookies
Liferay Master 帖子: 722 加入日期: 07-12-19 最近的帖子
we are implementing HttpOnly cookies in our portal and I am trying for different approaches
1. I have tried overwriting the SET-COOKIE http response header with a session cookie value to explicitly append the HttpOnly flag by setting in response header:
2. Trying with ESAPI#Java_EE library by adding cookie in SecurityWrapperResponse
Which is the best way of handling this security and why? Also when i tested the above implementation, JSESSIONID cookie is not set HttpOnly flag when context path is empty. And it works if context path has some valid path. Is this a correct way of testing the above implementation or i am doing something wrong? Please advise.
Thanks in advance.
1. I have tried overwriting the SET-COOKIE http response header with a session cookie value to explicitly append the HttpOnly flag by setting in response header:
response.setHeader("SET-COOKIE", cookie.getName()+"=" + sessionid+ "; Path=" + contextPath + "; HttpOnly" + secure );
2. Trying with ESAPI#Java_EE library by adding cookie in SecurityWrapperResponse
securityWrapperResponse.addCookie(cookie);
Which is the best way of handling this security and why? Also when i tested the above implementation, JSESSIONID cookie is not set HttpOnly flag when context path is empty. And it works if context path has some valid path. Is this a correct way of testing the above implementation or i am doing something wrong? Please advise.
Thanks in advance.
Hi,
I know it's been a while since you asked, but in case anybody else wants to know how to handle HttpOnly flag for Liferay cookies and how to add this flag to JSESSIONID I've made an extensive description here http://www.coding-dude.com/wp/java/liferay/solving-owasp-security-vulnerabilities-in-liferay-6-0-x/
I know it's been a while since you asked, but in case anybody else wants to know how to handle HttpOnly flag for Liferay cookies and how to add this flag to JSESSIONID I've made an extensive description here http://www.coding-dude.com/wp/java/liferay/solving-owasp-security-vulnerabilities-in-liferay-6-0-x/