WebApp Sec mailing list archives
RE: HttpOnly and J2EE containers
From: Pilon Mntry <pilonmntry () yahoo com>
Date: Sun, 19 Feb 2006 23:02:53 -0800 (PST)
Hi Jeff, At last, I used ... <property name="cookiePath" value="/mypath "; HttpOnly; Path=/mypath; bla=""> ... in sun-web.xml, which worked but not-good looking. I was searching for smt. that I won't touch the code. I think HttpOnly should be added to J2EE interface. thanks for the reply. -pilon --- Jeff Williams <jeff.williams () aspectsecurity com> wrote:
The J2EE Cookie interface doesn't support HttpOnly. And there's no way to do any kind of J2EE API injection, it validates the cookie value too well. The only way to do it is to set up the entire Set-Cookie header by hand. Try something like this... response.setHeader( "Set-Cookie","name1=value1; HttpOnly" ); --Jeff On 2/14/06, Pilon Mntry <pilonmntry () yahoo com> wrote: Lately, I needed to add HttpOnly cookie parameter to Java System Application Server PE and had to use ... <property name="cookiePath" value="/mypath; HttpOnly;"> ... hack in sun-web.xml file. Well, Actually this didn't work (obviously in IE, which uses v0 cookie parser and only one supporting HttpOnly) and I had to tweak the above "a little bit". Anyways, I searched about this on the net, but couldn't find anything solid except that Resin and some other AS has made this operation easy... Now, my question is do you guys know an easy way to incorporate this cookie parameter in other J2EE containers, such as OracleiAS or Websphere, WebLogic, etc. Maybe more a standard way than an easy way... -pilon __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics ALERT: "How A Hacker Launches A Web Application Attack!" Step-by-Step - SPI Dynamics White Paper Learn how to defend against Web Application Attacks with real-world examples of recent hacking methods such as: SQL Injection, Cross Site Scripting and Parameter Manipulation
https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------
-- --pl
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------------------------- This List Sponsored by: SpiDynamics ALERT: "How A Hacker Launches A Web Application Attack!" Step-by-Step - SPI Dynamics White Paper Learn how to defend against Web Application Attacks with real-world examples of recent hacking methods such as: SQL Injection, Cross Site Scripting and Parameter Manipulation https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl --------------------------------------------------------------------------
Current thread:
- HttpOnly and J2EE containers Pilon Mntry (Feb 15)
- <Possible follow-ups>
- RE: HttpOnly and J2EE containers Jeff Williams (Feb 17)
- RE: HttpOnly and J2EE containers Pilon Mntry (Feb 20)