How do you configure HttpOnly cookies in tomcat / java webapps?

by

httpOnly is supported as of Tomcat 6.0.19 and Tomcat 5.5.28.

See the changelog entry for bug 44382.

The last comment for bug 44382 states, “this has been applied to 5.5.x and will be included in 5.5.28 onwards.” However, it does not appear that 5.5.28 has been released.

The httpOnly functionality can be enabled for all webapps in conf/context.xml:

<Context useHttpOnly="true">
...
</Context>

My interpretation is that it also works for an individual context by setting it on the desired Context entry in conf/server.xml (in the same manner as above).

More Related Contents:

  1. XSS prevention in JSP/Servlet web application
  2. How do you set up use HttpOnly cookies in PHP
  3. Handling passwords used for auth in source code
  4. How do I make an http request using cookies on Android?
  5. Securing a password in a properties file [duplicate]
  6. Java Error: “Your security settings have blocked a local application from running”
  7. Handling Java crypto exceptions
  8. Automatic cookie handling with OkHttp 3
  9. java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty on Linux, or why is the default truststore empty [duplicate]
  10. Using NTLM authentication in Java applications
  11. Jsoup Cookies for HTTPS scraping
  12. How to force java server to accept only tls 1.2 and reject tls 1.0 and tls 1.1 connections
  13. How to implement a possibility for user to post some html-formatted data in a safe way?
  14. Create a mutable java.lang.String
  15. java.security.AccessControlException: Access denied (java.io.FilePermission
  16. convert openSSH rsa key to javax.crypto.Cipher compatible format
  17. How do I generate a SALT in Java for Salted-Hash?
  18. How to log into Facebook programmatically using Java?
  19. Android encryption
  20. Too much data for RSA block fail. What is PKCS#7?
  21. Apache HttpClient 4.0.3 – how do I set cookie with sessionID for POST request?
  22. JAAS for human beings
  23. How do I persist cookies when using HTTPUrlConnection?
  24. When to move from Container managed security to alternatives like Apache Shiro, Spring Security?
  25. How to set Cookies at Http Get method using Java
  26. SSLContext initialization
  27. How does Java strings being immutable increase security?
  28. Can a secret be hidden in a ‘safe’ java class offering access credentials?
  29. How to hash a password with SHA-512 in Java?
  30. How to obtain the location of cacerts of the default java installation?

Leave a Comment