Reputation: 7630
is HTTP only attribute setting missing in jboss7?
I used the following steps with JBOSS5 and 6, but these are not applicable to JBOSS 7:
- change server/CONFIG/deploy/jbossweb.sar/context.xml
- add <SessionCookie httpOnly="true" secure="true">
As I found solution for jboss7, Add the http-only tag to session config in web.xml
<session-config>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
So As I understand it is about configuration of application level web.xml So how can we do settings of cookie protection for the whole JBOSS instance? it was a good idea to allow global configuration of session cookie in JBOSS56, is this feature missing in JBOSS7? This question may repeat in StackOverflow. but I could not get proper clarity in those answers.
Upvotes: 4
Views: 4233
Answers (1)
Reputation: 5791
no need to configure this as part of some propertary config file. This configuration is now part of servlet spec, which means it can be configured as part of web.xml
<session-config>
<cookie-config>
<http-only>true</http-only>
</cookie-config>
</session-config>
just make sure you use 3.0 xsd version of web.xml
Upvotes: 2
Related Questions
- Jboss 5. HttpOnly session cookies
- Tomcat 7 sessionid cookie disable http-only and secure
- How to configure JBoss 4.0.* to make session cookie HttpOnly and secure?
- httpOnly cookie
- Missing HttpOnly Attribute in Session Cookie
- Add the 'HttpOnly' attribute to all session cookies
- Cookie without the secure flag jboss 5.1
- how to enable httponly for jsessionid cookie in jboss 4.2.3
- httponly cookie web 3.0 causing unexpected timeout
- How can I set session cookies to be Http-Only in servlet API 2.5?