how to set httponly and session cookie for java web application

Question

I am working on an XSS (cross site scripting) issue. My application runs on an Oracle Weblogic portal. We use Servlet version 2.5.

I have added the below 3 lines o

Answer 1

You need to use following syntax to set both httponly and Secure flags

JSESSIONID=ABC3423DF...SDF;HttpOnly;Secure

Answer 2

Depending on the specifics of your web container, modifying container-managed session cookies within an app can cause the app server to toss the existing session and create a new one. I've observed this on Tomcat but it may be similar for Weblogic.

If you're using Servlets 3.0, you can actually instruct the app server to ensure that all session cookies are HttpOnly and Secure with the following fragments:

<session-config>
  <cookie-config>
    <secure>true</secure>
    <http-only>true</http-only>
  </cookie-config>
</session-config>

This is a better approach than manually hacking on the cookies with a filter.

FYI: I've also written a Java library that injects a number of security related response headers in Servlet based apps.

Answer 3

I have used <http-only> and <secure> tags in web.xml to set the secure attributes and it worked.

<session-config>
 <cookie-config>
  <http-only>true</http-only>
 </cookie-config>
<session-config>