servlets - set httpOnly and secure flags on session cookie in Google App Engine -

i need set httponly , secure flags on session cookie in google app engine.

i tried following in web.xml:

<session-config>  <cookie-config>   <http-only>true</http-only>  </cookie-config> </session-config>

however, didn't work.

i tried in top of every jsp:

string sessionid = request.getsession().getid(); response.setheader("set-cookie", "jsessionid=" + sessionid + "; httponly");

how can achieve this?

i had same problem google app engine, wanted add secure attribute cookies. following shows how i've added secure attribute cookies. i'm sure solution work substituting secure httponly.

i've implemented security filter , made mapping pages want secure attribute set.

<filter>     <filter-name>security filter</filter-name>     <filter-class>common.securityfilter</filter-class> </filter> <filter-mapping>     <filter-name>security filter</filter-name>     <url-pattern>*.jsf</url-pattern> </filter-mapping>

my first try wrap response custom httpservletresponsewrapper. fine except session cookie doesn't attribute. debugged around , found session cookie not added using mechanism i've expected. i've noticed after touch session session cookie magically added response headers e.g. headers consists line set-cookie: jsessionid=abcdef;path=/ cookie wasn't added using wrapper object i've created. i've figured out after i've touched session can set cookie want attributes want. workaround easy.

public class securityfilter implements filter {     @override     public void dofilter(servletrequest request, servletresponse response, filterchain chain) throws ioexception, servletexception {         // wrap response         response = new securecookiesetter((httpservletresponse)response);          // touch session         (httpservletrequest)request.getsession();          // overwriting cookie secure attribute set         ((httpservletresponse)response).setheader("set-cookie", "jsessionid=" + ((httpservletrequest)request).getsession().getid() + ";path=/");     } }  public class securecookiesetter extends httpservletresponsewrapper {      public securecookiesetter(httpservletresponse response) {         super(response);     }      @override     public void addcookie(cookie cookie) {         cookie.setsecure(true);         super.addcookie(cookie);     }      @override     public void addheader(string name, string value) {         if ((name.equals("set-cookie")) && (!value.matches("(^|.*;)\\s*secure"))) {             value = value + ";secure";         }         super.addheader(name, value);     }      @override     public void setheader(string name, string value) {         if ((name.equals("set-cookie")) && (!value.matches("(^|.*;)\\s*secure"))) {             value = value + ";secure";         }         super.setheader(name, value);     }  }

Abdulmateen

Search This Blog

servlets - set httpOnly and secure flags on session cookie in Google App Engine -

Comments

Post a Comment