3

We have a legacy application running on Oracle Application Server J2EE 10g 10.1.3.5.0 using OC4J containers. To clear a Veracode dynamic scan flaw CWE ID-402 (and for best practice) we need to set the HttpOnly flag on our JSESSIONID cookies. We found, albeit scant, documentation for a system property:

-Dhttp.response.httponly=true

That supposedly supports this. (Some details on all supported properties here, although you may want to run it through a translator: https://volbers.wordpress.com/2011/06/24/secrets-of-the-oc4j/)

What we found, however, is that while this property works in a stand-alone OC4J instance (e.g., running in Eclipse), it does not work when deployed under OAS/OPMN. We even tried using reflection to lookup the Evermind OC4JProperty for HTTP_RESPONSE_HTTPONLY and were able to set it to true programmatically. However, the same behaviors ensued: Something is ignoring that property when running in the deployed container.

Does anyone know how to make this work in a deployed environment?

Just for context, here is OC4J's own description of this property:

% java -jar /oas/j2ee/home/oc4j.jar -describeProperty http.response.httponly

Property name: http.response.httponly
Description: Used to prevent cross-site scripting attack
Default value: false
Primitive type: Boolean
Deprecated: false
Log value change: false
Is static: false
kmarx
  • 43
  • 5
  • Which JDK are you using? Which version of Servlets? I've also found that adding it to the OC4J arguments does not work. It might be time to migrate to a different application server :( – Hugo M. Zuleta Nov 20 '18 at 14:45
  • 1
    JDK 1.6, Servlet 2.5. We'd love to upgrade to modern/supported platforms but that's not an option for us due to legacy dependencies and operational constraints – kmarx Nov 20 '18 at 18:19

1 Answers1

0

Try adding the following to your orion-web.xml

<session-tracking cookie-path="/pathtoyourapp; HttpOnly"/>
mkane
  • 880
  • 9
  • 16