I am not getting how to set flag secure to true in spring mvc.
I have tried the following four ways but I'm unable to get any solution:
1) Set http-only on cookies created in Spring MVC Controller
2) Forcing Tomcat to use secure JSESSIONID cookie over http
3) https://www.owasp.org/index.php/SecureFlag
4) https://www.whitehatsec.com/blog/session-cookie-httponly-flag-java/
I have tried this code also and placed in web.xml
<session-config>
<session-timeout>20</session-timeout>
<cookie-config>
<secure>true</secure>
</cookie-config>
</session-config>
but it's not working.
i have tried using java:
Cookie cookie = new Cookie("timestamp", new Long(new Date().getTime()).toString());
cookie.setSecure(true);
I placed above code in Interceptor
but this is also not working.
When I check in my browser/resources to check whether my flag is set to secure or not.
but none of the ways is working.
Please tell me where I am going wrong.
Related
I am making a web application based on Spring 3 and Apache Wicket. When the user of the application click on element, after the timeout of the session, the application crash because the HTML file doesn't find the Java component. How can I prevent this?
By default Wicket will create a new instance of the page if the old one is gone for any reason: https://github.com/apache/wicket/blob/38bee6e932e63fa033c2139cdfb2f82eba55fadc/wicket-core/src/main/java/org/apache/wicket/settings/PageSettings.java#L46
Maybe this setting is false for you ?!
Behind you spring/wicket app you have a Java Servlet Web application. Set the timeout=0 and sessions won't expire.
Include this block in the web.xml. You can also do it programatically.
<web-app ...>
<session-config>
<session-timeout>0</session-timeout>
</session-config>
</web-app>
I believe you are looking for ExpiredErrorPage Configure below in yourApplication init() method
Whenever session expired it will redirect to loginpage . It will not show like crashed .so that you can login again and do your stuff.
getApplicationSettings().setPageExpiredErrorPage(LoginPage.class);
I am using Wildfly, Spring MVC in my project.
And after redirecting to another page of my project - to my browser address line appears some session info like in this image:
p.s. When i were using Tomcat - there was no such problems.
Is there an optimal way to stop auto-adding session information in the address bar?
Thanks.
Update:
In the normal situation, when i were redirecting in my past projects(for example) from page "index" to page "login" i saw something like this: "myapp.com/login"
But now i saw:"myapp.com/login;jsessionid=nGTE5tfW3hUZZOP1yQTF4Mrh3PRbNu8UyY8UBkmx.coderunit".
I didn't made some special options to my app server to cancel this session info additions. Maybe there are some special tool for it.
I solved this problem.
There is some spectial option for web.xml.
This is the default behavior of a servlet container. If the client doesn’t include a cookie in the first request, the container cannot tell whether the client supports cookies or not. Therefore the container embeds the session id in the URL.
You can disable this in your web.xml using the session-config element:
<session-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
It helped me. Good luck.
Environment :
Liferay 6.2 with Jboss
We are trying to implement httponly and secure.
For this we have dome some changes like below
Added in Portal-ext.properties :
cookie.http.only.names.excludes=
and
Added following properties in ROOT.war/WEB-INF/web.xml
<session-config>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
</session-config>
I can see all the session cookies are httponly except the one which are starting with LFR_SESSION_STATE_
Can anyone suggest how we can handle this.
LFR_SESSION_STATE_ are cookies that explicitly get handled on client-side and not on server side - thus they're inherently only accessed through JS. As far as I know they're never even persisted on server side. And I don't expect any real leakage from these cookies. In my perception the cookies are about determining state of the quality "should this help item be shown with full text or just collapsed".
In my Spring(3.1) MVC web application(servlet 3.0) i have following href link in one of the JSP-s:
<a href="./edit_account?id=${account.accountId}">
<i class="icon-th-list"></i>${account.accountId} ${program.customer} </a>
It used to work properly whenever user clicks on above link on the web page, edit_account used to get appended to application url and used to reach corresponding method within Controller class.
Now due to security reasons, I had to make all cookies secure and http-only. Hence added following snippet in web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<session-config>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
</session-config>
</web-app>
After adding above, none of the clicks(href in all JSP-s) working.
Following Error is thrown at web page, however j_session_id is showing up on the Url.
Http 400 description The request sent by the client was syntactically incorrect.
in all my JSP-s, session is true.
Can somebody please help me what changes I need to do make so that all the flows working even after adding above snippet in web.xml?
If you enable secure flag, this means your browser is not allowed to send jsessionId over cookies in the request header back to your server. Therefore IF you try to connect your server over HTTP (instead of HTTPS) the jsessionId cannot be sent over cookies in the http request and must be included into your url links so that the servlet can somehow track the users session.
To solve this isseu, you have to use HTTPS by default.
P.S: Actually links with jsessionId shouldn't be a problem. Please check the URL syntax it should be like this http://www.example.org/some_path;jessionid=d398jdsjnck398.1?paramater_name=parameter_value . If the ;jessionid is always at the end of the URL then it may be an indicator that the links are incorrectly generated. A possible reason for that may be that misuse of tag.
I am confused about a couple things regarding cookies.
Why do I need to use/customize javax.servlet.http.Cookie class in order to implement a Remember me feature?
In my web.xml couldn't I just use?:
<session-config>
<session-timeout>10080</session-timeout>
</session-config>
Isn't it a security issue having cookies on a computer? Couldn't a cracker steal another user's cookie and hijack their session?
You don't - you just need to create an http session. Tomcat will either create a cookie or use a jsessionid URL parameter to maintain your session - this is part of the Java EE servlet specification. If you use a JSP then they automatically create http sessions. Various other things can cause sessions to be created also.
Yes, this is called session hijacking.