0

I want to set response header at my application web server end to make my cookies "httponly" and "secure".

Can any on guide me how to acheive this. Will there be any impacts on application running on HTTPS, if we make these changes.

Onki
  • 1,879
  • 6
  • 38
  • 58

1 Answers1

1

IHS (which is based on Apache) httpd.conf

<Location /your-app>
    SetHandler server-status
    Order deny,allow
    Allow from all
    Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
</Location>

where /your-app - context root of your app

WAS: 

Servers > Server Types > WebSphere application servers > YOUR-APP > Web Container Settings > Web container: Custom Properties> New
Name: com.ibm.ws.webcontainer.HTTPOnlyCookies; 
Value: JsessionID

Servers > Server Types > WebSphere application servers > YOUR-APP > Session management > Enable Cookies link. Requires use of SSL protocol.

There might be some problems in your application (depending on how it was developed)

Example:

#
# Allow server status reports generated by mod_status,
# with the URL of http://servername/server-status
# Change the ".example.com" to match your domain to enable.
#
<IfModule mod_status.c>
<Location /server-status>
    SetHandler server-status
    Order deny,allow
    Deny from all
# Add an "Allow from" directive to provide access to the server status page.
#
# Examples:
#
# 1. Allow any client with hostname *.example.com to view the page.
#
# Allow from .example.com
#
# 2. Allow the local machine to view the page using the loopback address.
#
# Allow from 127.0.0.1
#
# 3. Allow any machine on the local network to view the page.
#
# Allow from 192.168.1
</Location>
</IfModule>

...

##### NON-DEFAULT #####

<Location /xxx> 
   SetHandler server-status 
   Order deny,allow 
   Allow from all 
   Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure 
</Location> 

<VirtualHost *:80>
</VirtualHost>

LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
Listen 443
Listen 4469

<VirtualHost *:443 *:4469>
SSLEnable
Keyfile /root/keys/web1-key-db.kdb
SSLStashfile /root/keys/web1-key-db.sth
</VirtualHost>

#####/NON-DEFAULT #####

...
Multisync
  • 8,657
  • 1
  • 16
  • 20
  • I got this Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure added in httpd.cong.. n its not working. My qsn is : do I have to add inside tags only. N if yes then do I need to copy these again n then do it,, or add this in existing one. Will it be possible for you to give me one example here. – Onki Oct 17 '14 at 09:37
  • could you also guide me any documentation I can refer for this. I am trying to google a lot about this but I am not getting much /accurate details about it. – Onki Oct 17 '14 at 09:45
  • @user3610891 I added an example. We investigated that a couple of years ago, so I don't remember any links to the documentation. Do you have an application server? You need to make some changes in the admin console in this case. – Multisync Oct 17 '14 at 10:02
  • we are using WAS6.1 as our app server. – Onki Oct 17 '14 at 10:08
  • my qsn is : when we are doing changes at web server level then y we need to do the changes again at the app server level. If we keep changes at both servers then it might be problem but if only 1 is changed then y we need to configure app server/webserver again – Onki Oct 17 '14 at 10:10
  • @user3610891 I found this http://stackoverflow.com/questions/9193112/secure-and-httponly-flags-for-session-cookie-websphere-7 – Multisync Oct 17 '14 at 10:15
  • Lets say my application URL is like this : https://one.two.three.com/context_root/firstrequest ..................So If I make " SetHandler server-status Order deny,allow Allow from all Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure "............So is this context root set correctly for this block? – Onki Oct 17 '14 at 10:18
  • @user3610891, yes. Check also that you have "LoadModule headers_module modules/mod_headers.so" in your conf. – Multisync Oct 17 '14 at 10:25
  • I did all this. Uncommented the header line. Added the block.. but still its not working. My cookies are still not secure n no httponly – Onki Oct 20 '14 at 05:11