Year Of Security for Java – Week 4 – Session Cookie HttpOnly Flag

No Gravatar

What is it and why do I care?
Session cookies (or the cookie containing the JSESSIONID to Java folks) are the cookies used to perform session management for web applications. These cookies hold the reference to the session identifier for a given user, and the same identifier is maintained server-side along with any session scoped data related to that session id. Since cookies are transmitted on every request, this is the most common mechanism used for session management in web applications.

The HttpOnly flag is an additional flag that is used to prevent an XSS (Cross-Site Scripting) exploit from gaining access to the session cookie. Since gaining access to the session cookie, and subsequently hijacking the victim’s session, is one of the most common results of an XSS attack, the HttpOnly flag is a useful prevention mechanism.

HttpOnly Flag

What should I do about it?
The resolution here is quite simple. You must add the HttpOnly flag to your session cookie (and preferably all cookies).

Here’s an example of how a session cookie might look without the HttpOnly flag:

Cookie: jsessionid=AS348AF929FK219CKA9FK3B79870H;

And now, with the HttpOnly flag:

Cookie: jsessionid=AS348AF929FK219CKA9FK3B79870H; HttpOnly;

And, if you were following along from last week, with both the secure and HttpOnly flags:

Cookie: jsessionid=AS348AF929FK219CKA9FK3B79870H; HttpOnly; secure;

Not much to it. You can obviously manually do this, but if you’re working in a Servlet 3.0 or newer environment, there’s a simple configuration setting in the web.xml that takes care of this for you. You should add this snippet to your web.xml.


And, if you also use the secure flag, it looks like this:


As you can see, resolving this issue is quite simple. It should be on everyone’s TODO list.


Be Sociable, Share!

Technorati Tags: , , ,