Skip to content
July 9, 2010 / edeustace

Adding the HttpOnly cookie to Tomcat and Josso

My current project has undergone a security review. One of the recommendations was to add HttpOnly to session cookies. More info here.

So when the server is setting cookies it looks like this:

Set-Cookie JSESSIONID=blahblah; Path=/; HttpOnly

In our app we set 2 session cookies, one is the default JSESSIONID that you get with your webapp container, the second is a JOSSO_SESSIONID that is set by our SSO system Josso.

Tomcat
The good news is that setting HttpOnly on versions of Tomcat > 6.0.19 is a simple change to the WEB-INF/context.xml file:

<Context>
	<Valve	className="org.apache.catalina.authenticator.FormAuthenticator"
			disableProxyCaching="false"
			useHttpOnly="true">
	</Valve>
</Context>

However, the particular version of Tomcat that we use is 6.0.13 (aka JBossWeb 2.0.1.GA from JBoss 4.2.2.GA), which doesn’t support this configuration option. Instead you need to write a servlet filter.

Here is the implementation taken from the stackoverflow post:

 private void rewriteCookieToHeader(HttpServletRequest request, HttpServletResponse response) 
{
	 if (response.containsHeader("SET-COOKIE")) 
	 {
		 String sessionid = request.getSession().getId();
		 String contextPath = request.getContextPath();
		 String secure = "";
		 if (request.isSecure()) 
		 {
			 secure = "; Secure"; 
		 }
		 response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; Path=" + contextPath + "; HttpOnly" + secure);
	 }
 }

Josso
I was searching the Josso documentation and forums for a solution for this, but couldn’t see it mentioned. In the end I patched Josso using a similar technique as above:

From:
org.josso.tc55.agent.SSOAgentValve.invoke() added at Line 511 (Josso 1.8.0)

log("patch: check SET-COOKIE");
if( hres.containsHeader("Set-Cookie") || hres.containsHeader("SET-COOKIE") )
{
	if( debug >= 1 )
	{
		log("patch: SET-COOKIE as HttpOnly");
	}
	 String secure = "";
	 if (request.isSecure())
	 {
		 secure = "; Secure";
	 }
	 hres.setHeader("SET-COOKIE",
						org.josso.gateway.Constants.JOSSO_SINGLE_SIGN_ON_COOKIE + "=" + entry.ssoId +
						"; Path=" + contextPath + "; HttpOnly" + secure);
}

Resources:
http://stackoverflow.com/questions/33412/how-do-you-configure-httponly-cookies-in-tomcat-java-webapps
http://ha.ckers.org/blog/20070719/firefox-implements-httponly-and-is-vulnerable-to-xmlhttprequest/
http://www.codinghorror.com/blog/2008/08/protecting-your-cookies-httponly.html

Advertisements

One Comment

Leave a Comment
  1. Jon French / Sep 10 2010 6:43 pm

    Thanks for this post. I notice that this issue is still outstanding in JOSSO 1.8, so I’ve logged a JOSSO JIRA ticket for this issue at:

    http://www.josso.org/jira/browse/JOSSO-239

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: