Setting the HttpOnly Cookie Flag

The HttpOnly flag restricts client-side scripts from accessing cookies sent by an application server. This topic describes how to set the HttpOnly flag.

Preventing all XSS flaws in an application is difficult. To help mitigate the impact of an XSS flaw on your site, the Open Web Application Security Project (OWASP) recommends setting the HttpOnly flag on your session cookie and any custom cookies you have that are not accessed by any Javascript you wrote. This cookie flag is typically on by default in .NET apps, but in other languages you have to set it manually.

According to Michael Howard, Senior Security Program Manager in the Secure Windows Initiative group at Microsoft, the majority of XSS attacks target theft of session cookies. A server could help mitigate this issue by setting the HttpOnly flag on a cookie it creates, indicating that the cookie should not be accessible on the client.

If a browser that supports HttpOnly detects a cookie containing this flag and client-side script code attempts to read the cookie, the browser returns an empty string as the result. This causes the attack to fail by preventing the malicious (usually XSS) code from sending the data to an attacker's website.

The Context element has a useHttpOnly attribute, which enables or disables the HttpOnly feature. To enable HttpOnly for all web applications, set the useHttpOnly attribute on the Context element in the WEB-INF/context.xml file (on JBoss) or in META-INF/context.xml (on Tomcat) as follows: 

<Context useHttpOnly="true"> 
... 
</Context>

For more information on the HttpOnly cookie flag, including what it does and how to use it, refer to the OWASP's article on HttpOnly (http://www.owasp.org/index.php/HttpOnly). See also http://tomcat.apache.org/tomcat-6.0-doc/config/context.html.

Tomcat has a specific setting to make JSESSIONID HTTOnly, but it is in a configuration file that does not ship with ENOVIA software. Therefore, the recommended way to enable HttpOnly functionality for ENOVIA web applications is to set the useHttpOnly attribute in the Context element. This also works for an individual context by setting it on the desired Context entry in conf/server.xml. It is possible that other application servers have similar settings, but this is not a J2EE standard setting.

A more general solution that works across application servers would be to add a servlet filter that forces the cookie to use HttpOnly on its way out to the client when it is set:

if (response.containsHeader( "SET-COOKIE" )) { 
  String sessionid = request.getSession().getId(); 
  response.setHeader( "SET-COOKIE", "JSESSIONID=" + sessionid  
                      + ";Path=/<whatever>; HttpOnly" ); 
}

Note that this will overwrite all cookies and set only what you state here in this filter.