0

We are setting the parameter httpOnly true in web.xml file to prevent the cookie creation at client side. This is causing the reading the cookies values .we are using the following way to read the JSESSIONID cookie in GWT.

Cookie.getCookie("JSESSIONID");

This returning undefined .If i removing the attribute Httponly=true in web.xml its working fine and returning a cookie.

Can any please suggest a way to get the cookie JSESSIONID cookie with HttpOnly true .

Cerbrus
  • 60,471
  • 15
  • 115
  • 132
bNd
  • 7,168
  • 4
  • 35
  • 69

1 Answers1

2

HttpOnly is not what you think it is. Its sole purpose its to tell browsers to specifically not expose the cookie to script, and only use it at the HTTP level.

Nothing can prevent a cookie to be forged by the client. There are a few ways to prevent cross-site request forgery (CSRF) by so-called session fixation attacks, but HttpOnly is not one of them. HttpOnly helps with cross-site scripting (XSS), so that if the page includes a malicious 3rd-party script, it cannot read the cookie to send it to a 3rd-party server —probably to use it later for a session fixation attack, but that's only possible if your site is vulnerable to them—.

Thomas Broyer
  • 63,827
  • 7
  • 86
  • 161
  • Thanks for elaboration for HTTPOnly. In my project, the feature like user should logout when do clear history. but In STQC, HttpOnly attribute required to enable in jboss server. now I am unable to achieve my feature because due to httponly, I am unable to access cookie. can you help me out this? – bNd Nov 30 '12 at 14:44
  • 1
    You can possibly use a [dynamic host page](https://developers.google.com/web-toolkit/articles/dynamic_host_page) and have your server pass the session ID that way; it's about passing a particular value from server to client at load time here, not about cookies. – Thomas Broyer Nov 30 '12 at 15:07
  • Yes, This approach already implemented in my project.i.e. jsp-gwt integration. but when I do clear history in gwt app that sessionid not deleted as it's not a part of cookie now.right? so how could I came to know the user deleted history and I should redirect page him to home page? – bNd Dec 01 '12 at 05:27