set httpOnly and secure flags on session cookie in Google App Engine

Question

I need to set httpOnly and secure flags on session cookie in Google App Engine.

I tried the following in web.xml:

Answer 1

In my case the SecureCookieSetter class is not getting used. I also have my java web app running into the GAE. Below is code which is working fine in my case. Also its always recommeded to have other security related headers like max-age and others as below.

package com.securityFilter;

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.log4j.Logger;

import com.filters.XSSRequestWrapper;

public class SecurityFilter implements Filter   {

    protected static final Logger log = Logger.getLogger(SecurityFilter.class);

    private static final String PRAGMA_KEY = "Pragma";
    private static final String PRAGMA_VALUE = "no-cache";

    private static final String STRICT_TRANSPORT_KEY = "strict-transport-security";
    private static final String STRICT_TRANSPORT_VALUE = "max-age=604800";

    private static final String SET_COOKIE = "Set-Cookie";
    private static final String JSESSION_ID = "JSESSIONID=";
    private static final String HTTP_ONLY = ";Secure;HttpOnly";

    private static final String CACHE_CONTROL_KEY = "Cache-Control";
    private static final String CACHE_CONTROL_VALUE = "no-store";


    @Override
    public void doFilter(ServletRequest request, ServletResponse response,
            FilterChain chain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) request;
        makeCookieSecured(response, httpServletRequest);    
        chain.doFilter(request, response);

    }

    private void makeCookieSecured(ServletResponse response,
            HttpServletRequest httpServletRequest) {
        Cookie[] cookies = httpServletRequest.getCookies();
        HttpServletResponse httpResp = ((HttpServletResponse) response);
        if (cookies != null) {
            for(Cookie cookie :cookies){
                if("JSESSIONID".equals(cookie.getName())) {
                    cookie.setValue(httpServletRequest.getSession().getId() + HTTP_ONLY);
                    cookie.setSecure(true);
                    cookie.setPath("/");
                    cookie.setMaxAge(604800);
                }
            }
        }
        httpResp.setHeader(SET_COOKIE, JSESSION_ID + httpServletRequest.getSession().getId() + HTTP_ONLY);
        httpResp.setHeader(CACHE_CONTROL_KEY, CACHE_CONTROL_VALUE);
        httpResp.setHeader(PRAGMA_KEY, PRAGMA_VALUE);
        httpResp.setHeader(STRICT_TRANSPORT_KEY, STRICT_TRANSPORT_VALUE);
    }

    private void createJSONErrorResponse(ServletResponse response)
            throws IOException {
        response.setContentType("application/json");
        response.setCharacterEncoding("UTF-8");
        response.getWriter().write("Please provide valid input, You might have provided some special characters which is not allowed");
    }

    @Override 
    public void destroy() {
    }

    @Override
    public void init(FilterConfig arg0) throws ServletException {
    }

}