Setting HttpOnly Flag for Cookies

留言板

Kowbathullah Gnaniyar，修改在8 年前。

Setting HttpOnly Flag for Cookies

Liferay Master 帖子: 722 加入日期: 07-12-19 最近的帖子

we are implementing HttpOnly cookies in our portal and I am trying for different approaches

1. I have tried overwriting the SET-COOKIE http response header with a session cookie value to explicitly append the HttpOnly flag by setting in response header:

response.setHeader("SET-COOKIE", cookie.getName()+"=" + sessionid+ "; Path=" + contextPath + "; HttpOnly" + secure );

2. Trying with ESAPI#Java_EE library by adding cookie in SecurityWrapperResponse

securityWrapperResponse.addCookie(cookie);

Which is the best way of handling this security and why? Also when i tested the above implementation, JSESSIONID cookie is not set HttpOnly flag when context path is empty. And it works if context path has some valid path. Is this a correct way of testing the above implementation or i am doing something wrong? Please advise.

Thanks in advance.

Ionut Negoita，修改在7 年前。

RE: Setting HttpOnly Flag for Cookies

New Member 帖子: 10 加入日期: 12-8-27 最近的帖子

Hi,

I know it's been a while since you asked, but in case anybody else wants to know how to handle HttpOnly flag for Liferay cookies and how to add this flag to JSESSIONID I've made an extensive description here http://www.coding-dude.com/wp/java/liferay/solving-owasp-security-vulnerabilities-in-liferay-6-0-x/