Thursday, September 18, 2008

HttpOnly Cookies and Java EE Application servers (WebLogic, WebSphere etc)

Most of the application servers (WebLogic, WebSPhere) are not supporting HttpOnly Cookies
If you are not familiar with HttpOnly Cookies please see the posting of Jef http://www.codinghorror.com/blog/archives/001167.html

Currenlty there is no way to specify the session cookie as HttpOnly in most of the application servers.
However you can work aroud this weekness by implemeting a custome cookie which is HttpOnly and the same can be set and tracked by a Servlet Filter. First time when the session is established this (httpOnly) cookie also set and subsequent request will be rejected if it not submitted with this httpOnly cookie along with session cookie.
A sample Filter is available here -  http://rejeev.googlepages.com/HttpOnlyCookieFilter.java 

3 comments:

Jim Manico said...

Websphere supports it...

... Problem conclusion

WebSphere Application Server has been modified to properly
recognize, accept and process HTTP-Only cookies. This support
is targeted for fixpacks 6.0.2.21 and 6.1.0.11.
Please review the recommended updates page at
http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg27004980
for more information.

Mells said...

Weblogic supports it too from WLS 9.2 MP4 and WLS 10.0 MP2 onwards.Please have a look at the weblogic.xml deployment descriptor in order to set it

http://download.oracle.com/docs/cd/E13222_01/wls/docs92/webapp/weblogic_xml.html#wp1071982

Frugal Guy said...

BTW, the HttpOnlyCookieFilter allows a joined session that is missing the http-only cookie.

In fact, the only way to get caught is to have the wrong http-only cookie in the request. If the extra cookie is entirely stripped from the request, the filter is fooled and allows the request to be serviced.