httpOnly cookie

jboss security httponly
bablu picture bablu · Nov 17, 2012 · Viewed 7.5k times · Source

I had done web scan for an application(built in struts and hibernate framework) deployed in jboss 5 which reported "Set-cookie does not use HTTPOnly keyword. The web application does not utilize HTTPOnly cookies". What does it mean. I looked for some post and just added one line in my jboss/deploy/jbossweb.sar/context.xml as 

<SessionCookie secure="true" useHttpOnly="true" >

After setting that, I am getting error while running the application.
Is there any configuration that I am missing?

Answer

free_easy picture free_easy · Nov 17, 2012

try this:

<SessionCookie secure="true" httpOnly="true" />

Related questions

JBoss AS 7.1 - datasource how to encrypt password

In JBoss AS 5, I have a datasource defined in *-ds.xml but put username/encrypted password in *-jboss-beans.xml. Now in JBoss AS 7.1, the datasource is defined in standalone.xml or domain.xml. Where do I put the encrypted password …

Read More
bouncycastle + JBoss AS7: JCE cannot authenticate the provider BC

I use BouncyCastle for encryption in my application. When I run it standalone, everything works fine. However, if I put it in the webapp and deploy on JBoss server, I get a following error: javax.servlet.ServletException: error constructing MAC: …

Read More
Configure Http Headers in JBoss EAP 7

Do you know if there is a standard way to configure the Http Headers that JBoss EAP 7 sends to the client? I am mainly interested in being able to configure the following ones: X-XSS-Protection X-Frame-Options Strict-Transport-Security Content-Security-Policy X-Content-Type-Options I found …

Read More