0

Hi I am trying to add Httponly and secure flag to my cookie. This is what i have tried

public static void addCookie(HttpServletRequest request,HttpServletResponse response) 
        {
            
            Cookie[] cookie = request.getCookies();
            
            for(int i=0;i<cookie.length;i++)
            {
                System.out.println(cookie[i].toString());
                System.out.println("cookie Name :"+cookie[i].getName());
                System.out.println("cookie value :"+cookie[i].getValue());
                cookie[i].setSecure(true);
                                             
                System.out.println("Secure :"+cookie[i].getSecure());
                
            }

In the above code I have just set the secure to true. now When use firebug to see weather cookie is set to secure or not I just see response in firebug

Why my cookie is not secure?

Now another flag Httponly, How do I set my cookie to httponly flag.

When I am writing my code using eclipse, eclipse gives me suggestion of a method that is

cookie[i].setHttpOnly(true);

enter image description here

But When I run the code I get the error saying.

java.lang.NoSuchMethodError: javax.servlet.http.Cookie.setHttpOnly(Z)V

I saw the javax.servlet.http.Cookie class specification and I don't see any method called http://docs.oracle.com/javaee/1.4/api/javax/servlet/http/Cookie.html

cookie[i].setHttpOnly(true);

How do I secure my cookies?

I have tried multiple solution but dint work. I have tried this

String sessionid = req.getSession().getId();
res.setHeader("Set-Cookie", "JSESSIONID=" +  sessionid + ";HttpOnly");
res.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; secure");

Update 1 I have tried this also

<session-config>
  <cookie-config>
    <secure>true</secure>
    <http-only>true</http-only>
  </cookie-config>
</session-config>

but its for servlet 3.0 and it does not work for 2.5 @Jarrod Roberson could you please reopen my question.

When I write the above solution in my web.xml I get the bellow error

cvc-complex-type.2.4.a: Invalid content was found starting with element 'cookie-config'. One of '{"http://
 java.sun.com/xml/ns/javaee":session-timeout}' is expected.

Update 2 As I have searched a lot and every where I see the same solution. The is introduced in Servlet 3.0 and not supported in older versions such as 2.5. Your web.xml is declared conform Servlet 2.5. Please see the answer by BalusC web.xml validation in Weblogic throws error because of cookie-config

Update 3

This is exactly What I did as suggested in the link Suggested link

Entry in my web.xml

<filter>
  <filter-name>Security Filter</filter-name>
    <filter-class>com.globalss.dnb.monitor.security.SecurityFilter</filter-class>
</filter>
<filter-mapping>
  <filter-name>Security Filter</filter-name>
    <url-pattern>*.jsp</url-pattern>
</filter-mapping>

SecurityFilter class

public class SecurityFilter implements Filter {

     
    
     public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
            // wrap the response
            response = new SecureCookieSetter((HttpServletResponse)response);

            // touch the session
            ((HttpServletRequest) request).getSession();

            // overwriting the cookie with Secure attribute set
            ((HttpServletResponse)response).setHeader("Set-Cookie", "JSESSIONID=" + ((HttpServletRequest)request).getSession().getId() + ";Path=/");
        }
    
    
    public void destroy() {
        // TODO Auto-generated method stub
        
    }

    public void init(FilterConfig arg0) throws ServletException {
        // TODO Auto-generated method stub
        
    }
}

SecureCookieSetter class

public class SecureCookieSetter extends HttpServletResponseWrapper  {

    public SecureCookieSetter(HttpServletResponse  response) {
        super(response);
    }

    @Override
    public void addCookie(Cookie cookie) {
        cookie.setSecure(true);
        super.addCookie(cookie);
    }

    @Override
    public void addHeader(String name, String value) {
        if ((name.equals("Set-Cookie")) && (!value.matches("(^|.*;)\\s*Secure"))) {
            value = value + ";Secure";
        }
        super.addHeader(name, value);
    }

    @Override
    public void setHeader(String name, String value) {
        if ((name.equals("Set-Cookie")) && (!value.matches("(^|.*;)\\s*Secure"))) {
            value = value + ";Secure";
        }
        super.setHeader(name, value);
    }
}

after doing this, When I run my server, now I am not able to access any page of my application,though I don't get any error.

Update 4

As suggested I added the line suggested by BaluC. I am able to run the application, But I dont see the HttpOnly flag.

enter image description here

Please help

A.D
  • 45
  • 1
  • 1
  • 11
Varun
  • 6,231
  • 19
  • 80
  • 115
  • the answer given http://stackoverflow.com/questions/16398327/set-httponly-and-secure-flags-on-session-cookie-in-google-app-engine is for servlet 3.0. and I am using servlet 2.5. – Varun Jun 07 '16 at 09:31
  • @Jarrod Roberson can you please reopen my question, The solution given is fro servlet 3.0 , and I am using servlet 2.5. I have already tried the answer suggested here --- http://stackoverflow.com/questions/15510354/how-to-set-httponly-and-session-cookie-for-java-web-appliaction – Varun Jun 07 '16 at 09:43
  • same solution Servlet API version is irrelevant to HTTP headers. –  Jun 07 '16 at 13:47
  • @Jarrod Roberson please see the update question – Varun Jun 07 '16 at 14:17
  • 1
    Currently linked duplicate is indeed the wrong one. Curiously, in your first comment you linked the correct duplicate: http://stackoverflow.com/questions/16398327. How exactly did that not help in solving your concrete problem? I can reopen, but I'm much tempted to close with the correct duplicate instead. Your link and any of this should apply: http://stackoverflow.com/search?q=is%3Aa+HttpServletResponseWrapper+HttpOnly – BalusC Jun 07 '16 at 14:29
  • @BalusC please see updated 3 in question – Varun Jun 07 '16 at 14:44
  • 1
    I now see that the example contains a major mistake which is perhaps not obvious to starters who never wrote/understood servlet filters before: it's missing the `chain.doFilter(request, response);` line which is supposed to continue the processing of the request/response. When you add this crucial line to the very end of your `doFilter()` method, does it start to work? – BalusC Jun 07 '16 at 14:48
  • @BalusC Please see the update 4 – Varun Jun 07 '16 at 15:16
  • You're indeed only adding `Secure` flag, not `HttpOnly` flag. – BalusC Jun 07 '16 at 17:30
  • @BalusC Could you please help me to set the HttpOnly – Varun Jun 08 '16 at 05:33

0 Answers0