Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
663 views
in Technique[技术] by (71.8m points)

servlets - Secure and HttpOnly flags for session cookie Websphere 7

In Servlet 3.0 complaint application servers I can set the HttpOnly and secure flags for the session cookie (JSESSIONID) by adding the following to the web.xml:

<session-config>
  <cookie-config>
    <secure>true</secure>
    <http-only>true</http-only>
  </cookie-config>
</session-config>

However, the application I'm working on is to be deployed in Websphere 7, which is Servlet 2.5 complaint and it fails to start if I add the above to the web.xml

Is there any other declarative way or setting in Websphere 7 configuration to turn on the HttpOnly and secure flags for the session cookie?

If not, what would be the best approach to accomplish that programmatically?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

I think in WebSphere 7 you may have to delve into the administrative console. As ever the WebSphere documentation seems poor but seems to suggest setting the com.ibm.ws.security.addHttpOnlyAttributeToCookies property:

Both the Secure flag and the HTTPOnly flag are enabled by setting the WebSphere Application Server property: com.ibm.ws.security.addHttpOnlyAttributeToCookies.

I found this, which I hope is applicable to WAS7. Can you try please (I only have WAS 8 at the moment on my system):

JSESSIONID cookie:

Secure Flag:

The Secure flag can be set within the WebSphere Application Server administrative interface by selecting AppServer->[Server Name]->Web Container Settings->Session Management. Check the checkbox for “Restrict cookies to HTTPS Sessions”.

HTTPOnly Flag:

The HTTPOnly attribute cannot currently be set on this cookie. This is registered on the IBM site as APAR PK98436. The fix for this APAR is currently targeted for inclusion in Fix Packs 6.1.0.31 and 7.0.0.9, which are not yet available. With this APAR in place, the HTTPOnly flag can be set on the JSESSIONID cookie by way of the property name: com.ibm.ws.webcontainer.httpOnlyCookies. Refer to the following technote for instructions on enabling WebContainer custom properties.

The com.ibm.ws.webcontainer.httpOnlyCookies property is documented on the WAS 7 help site.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...