securing JSESSIONID on GAE Java

Asked Feb 27 '14 at 06:59

Active Feb 27 '14 at 06:59

Viewed 452 times

I need to secure the JSESSIONID, in particular from XSS.

Previously I added the HTTP-ONLY security constraint to my deployment descriptor (web.xml) but it is not working in GAE Java. Has anyone tried this before on Google AppEngine please?

<session-config>
    <cookie-config>
        <http-only>true</http-only>
    </cookie-config>
    <tracking-mode>COOKIE</tracking-mode>
</session-config>

Thank you

asked Feb 27 '14 at 06:59

Henry

Refer http://stackoverflow.com/questions/16398327/set-httponly-and-secure-flags-on-session-cookie-in-google-app-engine – bNd Feb 27 '14 at 07:03
Good stuff. I have tried that previously and it wasn't working fine & I retried today. It seems to me that there were some typo errors. The filter didn't invoke filterChain.doFilter(request, response); by the end of doFilter. Works perfectly now. – Henry Feb 28 '14 at 14:31
Possible duplicate of [set httpOnly and secure flags on session cookie in Google App Engine](https://stackoverflow.com/questions/16398327/set-httponly-and-secure-flags-on-session-cookie-in-google-app-engine) – A_01 Oct 18 '18 at 08:53

securing JSESSIONID on GAE Java

0 Answers0