I have a web application which is running on a Tomcat 7 server. The cookie with session id has by default the flags HttpOnly
and Secure
. I want to disable this flags for the JSESSIONID
cookie. But it wont work. I have changed this in my web.xml
file but it is not working.
<session-config>
<session-timeout>20160</session-timeout>
<cookie-config>
<http-only>false</http-only>
<secure>false</secure>
</cookie-config>
</session-config>
I know this is a security risk because a attacker is able to steal the cookie and hijack the session if he has found a xss vuln.
The JSESSIONID
cookie should be send with HTTP and HTTPS and with AJAX requests.
Edit:
I have successfuly disabled the HttpOnly
flag by adding the following option to the conf/context.xml
file:
<Context useHttpOnly="false">
....
</Context>
I did not find a solution in Tomcat to this but if you're using apache as a reverse proxy you can do:
Header edit* Set-Cookie "(JSESSIONID=.*)(; Secure)" "$1"
with mod_headers
which will munge the header on the way back out to remove the secure flag. Not pretty but works if this is critical.