WebApp Sec mailing list archives

RE: HttpOnly and J2EE containers

From: "Jeff Williams" <jeff.williams () aspectsecurity com>
Date: Fri, 17 Feb 2006 21:06:59 -0500

The J2EE Cookie interface doesn't support HttpOnly.  And there's no way to
do any kind of J2EE API injection, it validates the cookie value too well.
The only way to do it is to set up the entire Set-Cookie header by hand. Try
something like this...

    response.setHeader( "Set-Cookie","name1=value1; HttpOnly" );
 
 
--Jeff



On 2/14/06, Pilon Mntry <pilonmntry () yahoo com> wrote: 
Lately, I needed to add HttpOnly cookie parameter to
Java System Application Server PE and had to use

...
<property name="cookiePath" value="/mypath;
HttpOnly;">
...

hack in sun-web.xml file. Well, Actually this didn't
work (obviously in IE, which uses v0 cookie parser and
only one supporting HttpOnly) and I had to tweak the
above "a little bit".

Anyways, I searched about this on the net, but
couldn't find anything solid except that Resin and
some other AS has made this operation easy... 

Now, my question is do you guys know an easy way to
incorporate this cookie parameter in other J2EE
containers, such as OracleiAS or Websphere, WebLogic,
etc. Maybe more a standard way than an easy way... 

-pilon



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com 

-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics

ALERT: "How A Hacker Launches A Web Application Attack!"
Step-by-Step - SPI Dynamics White Paper 
Learn how to defend against Web Application Attacks with real-world
examples of recent hacking methods such as: SQL Injection, Cross Site
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------



-- 

--pl 


-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics

ALERT: "How A Hacker Launches A Web Application Attack!"
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world
examples of recent hacking methods such as: SQL Injection, Cross Site
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------

Current thread:

HttpOnly and J2EE containers Pilon Mntry (Feb 15)
- <Possible follow-ups>
- RE: HttpOnly and J2EE containers Jeff Williams (Feb 17)
  - RE: HttpOnly and J2EE containers Pilon Mntry (Feb 20)