There are concerns that client side scripts should not be able to access the cookies sent by the server. Toward this, the HTTPOnly cookie was invented by Microsoft Internet Explorer and has been reasonably adopted by other browsers and the public.
Read more about it at the OWASP site: http://www.owasp.org/index.php/HTTPOnly
Tomcat has a flag on the Context element which you can either place it in WEB-INF/context.xml (JBoss) or META-INF/context.xml (Tomcat) to utilize this feature.
Reference: http://tomcat.apache.org/tomcat-6.0-doc/config/context.html
So look for examples of context.xml by google search and then add the "useHttpOnly=true" to the context element.
2 comments:
Hi Anil,
in which version of JBoss application server is the useHttpOnly-Featuer supported?
Thanks,
Harald
Harald,
I will have to look at the tomcat version part of the JBAS stack. It should definitely be there in JBAS6.
Post a Comment