Tomcat 7 sessionid cookie disable http-only and secure

cookies tomcat7 session-cookies httponly cookie-httponly
JEE-Dev picture JEE-Dev · Aug 1, 2013 · Viewed 19.6k times · Source

I have a web application which is running on a Tomcat 7 server. The cookie with session id has by default the flags HttpOnly and Secure. I want to disable this flags for the JSESSIONID cookie. But it wont work. I have changed this in my web.xml file but it is not working.

<session-config>
    <session-timeout>20160</session-timeout>
    <cookie-config>
        <http-only>false</http-only>
        <secure>false</secure>
    </cookie-config>
</session-config>

I know this is a security risk because a attacker is able to steal the cookie and hijack the session if he has found a xss vuln.

The JSESSIONID cookie should be send with HTTP and HTTPS and with AJAX requests.

Edit:

I have successfuly disabled the HttpOnly flag by adding the following option to the conf/context.xml file:

<Context useHttpOnly="false">
....
</Context>

Answer

George Powell picture George Powell · Feb 8, 2017

I did not find a solution in Tomcat to this but if you're using apache as a reverse proxy you can do:

Header edit* Set-Cookie "(JSESSIONID=.*)(; Secure)" "$1"

with mod_headers which will munge the header on the way back out to remove the secure flag. Not pretty but works if this is critical.

Related questions

How do I set/unset a cookie with jQuery?

How do I set and unset a cookie using jQuery, for example create a cookie named test and set the value to 1?

Read More
Set cookie and get cookie with JavaScript

I'm trying to set a cookie depending on which CSS file I choose in my HTML. I have a form with a list of options, and different CSS files as values. When I choose a file, it should be saved …

Read More
How do I expire a PHP session after 30 minutes?

I need to keep a session alive for 30 minutes and then destroy it.

Read More