Skip to content
July 9, 2010 / edeustace

Adding the HttpOnly cookie to Tomcat and Josso

My current project has undergone a security review. One of the recommendations was to add HttpOnly to session cookies. More info here.

So when the server is setting cookies it looks like this:

Set-Cookie JSESSIONID=blahblah; Path=/; HttpOnly

In our app we set 2 session cookies, one is the default JSESSIONID that you get with your webapp container, the second is a JOSSO_SESSIONID that is set by our SSO system Josso.

The good news is that setting HttpOnly on versions of Tomcat > 6.0.19 is a simple change to the WEB-INF/context.xml file:

	<Valve	className="org.apache.catalina.authenticator.FormAuthenticator"

However, the particular version of Tomcat that we use is 6.0.13 (aka JBossWeb 2.0.1.GA from JBoss 4.2.2.GA), which doesn’t support this configuration option. Instead you need to write a servlet filter.

Here is the implementation taken from the stackoverflow post:

 private void rewriteCookieToHeader(HttpServletRequest request, HttpServletResponse response) 
	 if (response.containsHeader("SET-COOKIE")) 
		 String sessionid = request.getSession().getId();
		 String contextPath = request.getContextPath();
		 String secure = "";
		 if (request.isSecure()) 
			 secure = "; Secure"; 
		 response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; Path=" + contextPath + "; HttpOnly" + secure);

I was searching the Josso documentation and forums for a solution for this, but couldn’t see it mentioned. In the end I patched Josso using a similar technique as above:

org.josso.tc55.agent.SSOAgentValve.invoke() added at Line 511 (Josso 1.8.0)

log("patch: check SET-COOKIE");
if( hres.containsHeader("Set-Cookie") || hres.containsHeader("SET-COOKIE") )
	if( debug >= 1 )
		log("patch: SET-COOKIE as HttpOnly");
	 String secure = "";
	 if (request.isSecure())
		 secure = "; Secure";
						org.josso.gateway.Constants.JOSSO_SINGLE_SIGN_ON_COOKIE + "=" + entry.ssoId +
						"; Path=" + contextPath + "; HttpOnly" + secure);



One Comment

Leave a Comment
  1. Jon French / Sep 10 2010 6:43 pm

    Thanks for this post. I notice that this issue is still outstanding in JOSSO 1.8, so I’ve logged a JOSSO JIRA ticket for this issue at:

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: