I got this following error when my website was being audited. I have developed my website using jsp, servlets, java classes.
Missing HttpOnly Attribute in Session Cookie
Security Risks
It is possible to steal or manipulate customer session and cookies, which might be
used to impersonate a legitimate user, allowing the hacker to view or alter user records,
and to perform transactions as that user
Causes:
The web application sets session cookies without the HttpOnly
attribute
Remediation Tasks:
Add the 'HttpOnly' attribute to all session cookies
I am passing java security token as hidden parameter while clicking on submit button. How can i add this HttpOnly attribute in that token?
The HttpOnly attribute is set on Cookies, and these are (usually) passed from the server to the client, not from the client to the server. HttpOnly is not an attribute you can set on a form or form parameter. Here the client is the browser and the server is the Java EE server running your Java application.
Cookies are usually created by a server, passed to the browser and then passed back. Now it is possible to create and manipulate Cookies using JavaScript which can be helpful but can also be a security hole. So an HttpOnly Cookie is only accessible by the server, or in other words it is not accessible from client side JavaScript which protects your site from some forms of XSS attacks. So the Browser will store and return an HttpOnly Cookie but it will not alter it or allow you to create it on the client; an HttpOnly Cookie must be created on the server.
If you're using JSP it's likely your server is automatically creating a Cookie to manage sessions for you; this is the cookie on which you need to set the HttpOnly attribute. The method to set HttpOnly on your SESSIONID Cooke will be container specific.
were you able to set the "HttpOnly" attribute in session cookies?
i found this code to do this on https://www.owasp.org/index.php/HttpOnly
<session-config>
<cookie-config>
<http-only>true</http-only>
</cookie-config>
<session-config>
Related
Current to set the cookies in SpringWebFlux web client, I am manually adding cookies with the equal sign like name1=value;name2=value;name3-value and adding it to the header with Cookie key.
webclient.get().header("Cookie",name1=value;name2=value;name3-value);
But I don't know how to add HttpOnly or Secure flag for these cookies being added.Please let me know how to add these flags while making REST calls to the Https URL using spring webclient ? I couldn't find a way to add these flags. Adding these flags mandatory if the connection is over HTTPS ?
I am manually adding cookies with the equal sign like name1=value;name2=value;name3-value and adding it to the header with Cookie key.
This is a very odd way of doing things - you can add cookies directly with WebClient by using webclient.get().cookie().
But I don't know how to add HttpOnly or Secure flag for these cookies being added.
You can't, and you don't need to - these are flags sent by the server to the client to detail restrictions that the browser should enforce in handling these cookies. It therefore makes no sense to set those flags when sending the cookies to the server - there's no useful behaviour the server would be able to take based on those flags.
Apologies if I sound bad.
I have a xyz.war that does some authentication and sets a cookie(with HttpOnly set so I can not expire it via javascript) so that when the user logs-in for the next time the session is maintained. Now, given that I have the access to the Tomcat that is hosting the xyz.war how can I write a Java program that could expire/delete the cookie? I can create a .war of the java project and host it in the same Tomcat and access it from client side via a api.
You would have invalidate the session in xyz application. Removing (thus beeing able to midify) cookie by third parties would be a security hole.
I have the web application. I deploy it into jetty container.
After browser restart it looses jsession id although session alive on server and redirect me to login page.
In browser I see following cookies:
How to know current jsessionId cookie type ?
Can I change cookie type to resolve my issue?
How to change jsessionId cookie type ?
Which type would be proper at this case ?
Your session is not deleted until its expire time on the server side.
However, your "browsing session" ends when you restart your browser. Therefore your browser deletes all session based cookies, including the one grabbed from your website. As as result, you lose your old session and forced to start new session.
Check this out:
What is the best way to implement "remember me" for a website?
The cookie that identifies your session is JSESSIONID. See that expires attribute for that cookie is Session which means that the browser will forget it when you close it. You need to make the server set expires attribute for the cookie, that is login response should contain header similar to:
Set-Cookie: JSESSIONID=<id>; expires=Tuesday, 05-Nov-2004 08:30:09 GMT; ...
Read documentation for your authentication library to find out how to do that.
My application is running in jboss 7 and the sessions are being maintained by using the jsessionid cookie, which is marked secure and httponly. But even with this, if I am able to get any user's jsessionid cookie value, I will be able to spoof as the user. Is there any way to prevent this?
When you have a session for a user on your server, you need to match a request from a user to its session, it's the goal of the JSESSIONID cookie.
This is why you need to secure it by adding "secure" (this cookie will only be sent over https to prevent network sniffing) and "HttpOnly" (to disable access to this cookie by client javascript code) options.
You can add other mitigation methods by checking change in user's IP address (but will break 3G/WIFI change for legit users), user agent string, ...
But in practice, if you have access to the JSESSIONID cookie you can have access to these data too.
You can take a look at OWASP Session Management Cheat Sheet for more :
https://www.owasp.org/index.php/Session_Management_Cheat_Sheet
I use Dojo to make XHR requests to a Java Servlet and I can't figure out how to get the value of the JESSIONID cookie returned to me in the response header.
I need the session ID so I can use it within another web application (Flex) whose requests should use the same HttpSession (within the servlet) as for the initial web page requests.
My servlet container is Tomcat7 and I already configured the config.xml of my webApp with the useHttpOnly="false" setting so that the cookie should be available. However I just can't figure out how to extract it, dojo/cookie only gives me the cookies for the current page, not the HTTP request I just made.
Thanks.
Why do you think you need to access the cookie yourself? The browser is responsible for handling cookies automatically. From the spec:
If the user agent supports HTTP State Management it should persist, discard and send cookies (as received in the Set-Cookie response header, and sent in the Cookie header) as applicable.
Also, it is forbidden to attempt to retrieve the Set-Cookie header of an XHR request response.
In short: You can’t do what you are doing, and you shouldn’t have to. Flash uses the cookies from the browser when making requests, so long as it is properly configured. So, assuming the XHR sets the cookie first, Flash should also send it.