httpOnly cookie

Question

I had done web scan for an application(built in struts and hibernate framework) deployed in jboss 5 which reported "Set-cookie does not use HTTPOnly keyword. The web application does not utilize HTTPOnly cookies". What does it mean. I looked for some post and just added one line in my jboss/deploy/jbossweb.sar/context.xml as

<SessionCookie secure="true" useHttpOnly="true" >

After setting that, I am getting error while running the application.
Is there any configuration that I am missing?

Answer 1

What does it mean

The HttpOnly flag in a http response header indicates to the browser that client-side access to the JSESSION_ID or other session-cookie type identifier should not be permitted. What this is intended to prevent is a malicious access to the session token via client side scripts in an XSS(or other attack involving session hijacking from the client side). Currently almost all major browsers support this flag(see this list for supporting browsers), but it's simply ignored in browsers that don't support it. See more info on this at the OWASP site

Setting it up is similar for tomcat and forks of it, including Jboss, by including the following in your context file:

<session-config>
    <cookie-config>
        <http-only>true</http-only>
    </cookie-config>
</session-config>

or

 <SessionCookie secure="true" httpOnly="true" />

Answer 2

try this:

<SessionCookie secure="true" httpOnly="true" />