Missing HttpOnly Attribute in Session Cookie

Question

in sign.jsp, I have written the following so that, if a user is already logged in then immediately he would be forwarded to his home page

<%
try{

HttpSession session1 = request.getSession(false);

if(session1.getAttribute("authenticated")!=null &&  
 session1.getAttribute("authenticated").equals(true))
{
response.sendRedirect("userhome.jsp");
}
else{

// users have to login here
}
%>

Security scan is telling that Missing HttpOnly Attribute in Session Cookie in sign.jsp.

If i will set: <Context useHttpOnly="true"> ... </Context>

in : C:\Program Files\Apache Software Foundation\Apache Tomcat 6.0.20\conf

then will my problem be solved or what else i have to do? Any suggestion is much appreciated

Answer 1

If you using Servlet 3.0. Than In Servlet 3.0 (Java EE 6) introduced a standard way to configure HttpOnly attribute for the session cookie, applying the following configuration in web.xml

<session-config>
 <cookie-config>
  <http-only>true</http-only>
 </cookie-config>
<session-config>

Answer 2

Another approach is

Cookie cookie = new Cookie(cookieName, cookieValue);
cookie.setHttpOnly(true);
httpResponse.addCookie(cookie); 

Answer 3

Read this article https://access.redhat.com/solutions/338313

I think you have to set

<Context cookies="true" crossContext="true">
  <SessionCookie secure="true" httpOnly="true" />

attributes in "$PROFILE\deploy\jbossweb.sar\context.xml"