Year Of Security for Java – Week 3 – Session Cookie Secure Flag

No Gravatar

What is it and why do I care?
Session cookies (or the cookie containing the JSESSIONID to Java folks) are the cookies used to perform session management for web applications. These cookies hold the reference to the session identifier for a given user, and the same identifier is maintained server-side along with any session scoped data related to that session id. Since cookies are transmitted on every request, this is the most common mechanism used for session management in web applications.

The secure flag is an additional flag you can set on a cookie that instructs the browser to ONLY send this cookie on HTTPS (encrypted) transmissions, and _not_ on HTTP (unencrypted) transmissions. This ensures your session cookie is not visible to an attacker in, say, a man in the middle attack (MITM). This is not a complete solution to secure session management, but is an important step.

Secure Flag

What should I do about it?
The resolution here is quite simple. You must add the secure flag to your session cookie (and preferably all cookies as any requests to your site should be HTTPS if possible).

Here’s an example of how a session cookie might look without the secure flag:

Cookie: jsessionid=AS348AF929FK219CKA9FK3B79870H;

And now, with the secure flag:

Cookie: jsessionid=AS348AF929FK219CKA9FK3B79870H; secure;

Not much to it. You can obviously manually do this, but if you’re working in a Servlet 3.0 or newer environment, there’s a simple configuration setting in the web.xml that takes care of this for you. You should add this snippet to your web.xml.


As you can see, resolving this issue is quite simple. It should be on everyone’s //TODO list.


Be Sociable, Share!

Technorati Tags: , , ,