RSS

Session Cookie HttpOnly and Secure Flag – Java

08 Mar

Hi folks,

Recently, i have come across one PEN (penetration) issue. Here is the details.

All cookies are required to have ‘httponly’ and ‘secure’ flags set. Missing of either flag might result in a PEN finding.

I have made the below changes to fox this issue. The main objective os sharing this details here is , hope will helps others.

In web.xml file, make the below changes and check the result using the HttpWatch in IE, TamperData in FF.

<session-config>
<tracking-mode>COOKIE</tracking-mode>
<session-timeout>30</session-timeout>
<cookie-config>
        <http-only>true</http-only>
        <secure>true</secure>
    </cookie-config>
</session-config>

Below are the reference URLs for more details.

https://blog.whitehatsec.com/session-cookie-httponly-flag-java/
https://www.owasp.org/index.php/HttpOnly
http://www.coderforlife.com/test/http-only-cookie/
http://forum.springsource.org/showthread.php?110468-How-do-I-set-httpOnly-and-secure-cookies-with-Spring-Security
http://www.coderanch.com/t/567485/Servlets/java/cookies-marked-HttpOnly-Servlet

Here are the some PEN Testing tools . Have a look at once.

http://www.computerworld.com/s/article/9087439/Five_free_pen_testing_tools

Happy Coding !

Stay tune for more updates.

Have a nice day 🙂

Advertisements
 
Leave a comment

Posted by on March 8, 2013 in Uncategorized

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: