adding httponly and secure flag for set cookie in java web application

Question

I want to add the httponly and secure flags for Cookies. To implement it, I am using Filters which are configured in web.xml.

The code for adding flags is as below:

package com.crisil.dbconn;

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.struts2.ServletActionContext;
import org.owasp.esapi.ESAPI;
import org.owasp.esapi.filters.SecurityWrapperResponse;

public class ClickjackFilter implements Filter 
{

    private String mode = "DENY";

    /**
     * Add X-FRAME-OPTIONS response header to tell IE8 (and any other browsers who
     * decide to implement) not to display this content in a frame. For details, please
     * refer to http://blogs.msdn.com/sdl/archive/2009/02/05/clickjacking-defense-in-ie8.aspx.
     */
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        HttpServletResponse res = (HttpServletResponse)response;
        //HttpServletRequest req = (HttpServletRequest)request.getSession();


        res.addHeader("X-FRAME-OPTIONS", mode );
        res.addHeader("X-Content-Type-OPTIONS", "nosniff" );
        res.addHeader("X-XSS-Protection", "1; mode=block" );
        res.addHeader("Vary", "*" );
        res.addHeader("Expires", "-1" );
        res.addHeader("Pragma", "no-cache" );
        res.addHeader("Cache-control", "no-cache, no-store,max-age=0, must-revalidate" );
        String contextPath = ((HttpServletRequest) request).getContextPath()+"kevalcccc";
       ((HttpServletResponse)ServletActionContext.getResponse()).setHeader("SET-COOKIE",  "JSESSIONID=" + ((HttpServletRequest)request).getSession().getId() + ";Path="+contextPath+";Secure;HttpOnly");
     // touch the session
       // ((HttpServletRequest) request).getSessison();
       // System.out.println("zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz");

        // overwriting the cookie with Secure attribute set
       // ((HttpServletResponse)response).setHeader("Set-Cookie", "JSESSIONID=" + ((HttpServletRequest)request).getSession().getId() + ";Path=/");

        ////////////

       /* Cookie[] cookies = ((HttpServletRequest) request).getCookies();
        if (cookies != null)
            for (int i = 0; i < cookies.length; i++) {
                cookies[i].setValue("");
                cookies[i].setPath("/");
                cookies[i].setMaxAge(0);
                cookies[i].setSecure(true);
                res.addCookie(cookies[i]);
            }
        */
        //////////////
        String sessionid = ((HttpServletRequest) request).getSession().getId();
        ((HttpServletResponse) response).setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; HttpOnly");

        chain.doFilter(request, response);
    }

    public void destroy() {
    }

    public void init(FilterConfig filterConfig) {
        String configMode = filterConfig.getInitParameter("mode");
        if ( configMode != null ) {
            mode = configMode;
        }
    }

}

The above code is adding httponly and secure flags for the JSESSIONID cookie. However, in the Response Header, I am getting two cookies. The second one does not have httponly and secure flags set. Please refer to the below output:

JSESSIONID=1dbLWQ6WYBHJ93Tv7TfQ2fdLgjRp2pQBsVxQVZ2WBQkYwB60wg43!1248935162!1451244054765; HttpOnly;Secure

JSESSIONID=1dbLWQ6WYBHJ93Tv7TfQ2fdLgjRp2pQBsVxQVZ2WBQkYwB60wg43!1248935162; path=/"

Why are the httponly and secure flags not added for the second cookie?

What is your webserver? – Alireza Fattahi Dec 28 '15 at 08:00 — Alireza Fattahi, Dec 28 '15 at 08:00

score 7 · Answer 1 · answered Dec 28 '15 at 08:42

7

Setting the JSESSIONID is the responsibility of whatever servlet container is running your web application. Remove the setHeader from your filter, and configure your web application properly by adding the following to your web.xml:

<session-config>
    <cookie-config>
        <http-only>true</http-only>
        <secure>true</secure>
    </cookie-config>
</session-config>

answered Dec 28 '15 at 08:42

heenenee

19,914
1
60
86

1

i have tried above solution earlier. but web.xml version is 2.4 which is not supporting , due to which i used filter for this purpose. Any other solution. – keval Dec 28 '15 at 09:22
Look up in the docs of your servlet container how it can be configured. If it can't, maybe it's time to upgrade... Servlet 2.4 is like 12 years old already. – heenenee Dec 28 '15 at 15:55

score 0 · Answer 2 · edited May 23 '17 at 11:44

0

If your webserver not support it you must do it your self.

A good answer could be found at: How do you configure HttpOnly cookies in tomcat / java webapps?

edited May 23 '17 at 11:44

Community

1
1

answered Dec 28 '15 at 10:41

Alireza Fattahi

42,517
14
123
173

adding httponly and secure flag for set cookie in java web application

2 Answers2

Linked