Tomcat 7 sessionid cookie disable http-only and secure

JEE-Dev picture JEE-Dev · Aug 1, 2013 · Viewed 19.6k times · Source

I have a web application which is running on a Tomcat 7 server. The cookie with session id has by default the flags HttpOnly and Secure. I want to disable this flags for the JSESSIONID cookie. But it wont work. I have changed this in my web.xml file but it is not working.

<session-config>
    <session-timeout>20160</session-timeout>
    <cookie-config>
        <http-only>false</http-only>
        <secure>false</secure>
    </cookie-config>
</session-config>

I know this is a security risk because a attacker is able to steal the cookie and hijack the session if he has found a xss vuln.

The JSESSIONID cookie should be send with HTTP and HTTPS and with AJAX requests.

Edit:

I have successfuly disabled the HttpOnly flag by adding the following option to the conf/context.xml file:

<Context useHttpOnly="false">
....
</Context>

Answer

George Powell picture George Powell · Feb 8, 2017

I did not find a solution in Tomcat to this but if you're using apache as a reverse proxy you can do:

Header edit* Set-Cookie "(JSESSIONID=.*)(; Secure)" "$1"

with mod_headers which will munge the header on the way back out to remove the secure flag. Not pretty but works if this is critical.