HTTP Only and Secure Flag
Set httpOnly and secure flags on session cookie.
JSESSIONID
For JSESSIONID, we can upgrade web servlet to version 3.0,
update web.xml as<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
Then, in web.xml, add <cookie-config> as<session-config>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
</session-config>
Somehow, the above method does not work on a self-defined cookie in my case.
Here we introducing an alternative solution.
Implement a security filter and made a mapping to the pages who need filter.<filter>
<filter-name>Security Filter</filter-name>
<filter-class>common.SecurityFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>Security Filter</filter-name>
<url-pattern>*.jsf</url-pattern>
</filter-mapping>
Implement a wrapper that extends HttpServletResponseWrapperpublic class SecureCookieSetter extends HttpServletResponseWrapper {
public SecureCookieSetter(HttpServletResponse response) {
super(response);
}
public void setHeader(String name, String value) {
if ((name.equals("Set-Cookie")) && (!value.matches("(^|.*;)\\s*Secure"))) {
value = value + ";Secure";
}
// if ((name.equals("Set-Cookie")) && (!value.matches("(^|.*;)\\s*HttpOnly"))) {
// value = value + ";HttpOnly";
// }
super.setHeader(name, value);
}
}
Implement security filterpublic class SecurityFilter implements Filter {
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletRequest httpReq = (HttpServletRequest) request;
HttpServletResponse httpResp = (HttpServletResponse) response;
// wrap the response
response = new SecureCookieSetter(httpResp);
// touch the session if the SessionKey dose not change
httpReq.getSession();
// overwriting the cookie with Secure attribute set
httpResp.setHeader("Set-Cookie", "SessionKey=" + sessionKey + ";Path=/");
}
}
Understanding JSESSIONID
JSESSIONID is a ID generated by Servlet container like Tomcat or Jetty and used for session management in J2EE web application for http protocol.
The ID is sent to the client either within a cookie (default) or as part of the URL (called URLrewriting, used only if cookies are disabled on the browser).
How JSESSIONID works?
When the first request (that demands a creation of session) arrives on a J2EE server, the server creates HTTPSession object and sends the sessionID to the browser. The browser then send the same sessionId for every subsequent requests.
Thus the stateless protocol becomes a stateful one.
There are 2 ways a request(from browser) notifies a container/server to start a new session.
Requesting a jsp page. (as we saw above)
The container creates certain implicit objects for a JSP and one among those is the HTTPSession object. HTTPSession object holds the sessionId which is written to the response header. You can alter the default behaviour by adding this directive<%@ page session="false"%>
Requesting a servlet that has code to initiate the creation by calling,request.getSession() - returns a HTTPSession object if it already exists else creates a new one
request.getSession(true) - same as above
request.getSession(false) - returns a pre-existing session if it exits else doesn't create one.
Ref: