Context - useHttpOnly

[Leo Donahue - PLANDEVX <Le...@mail.maricopa.gov>]

A security audit of my site indicated a "Missing HttpOnly attribute in Session Cookie" problem.  If this is a security problem, then why does the useHttpOnly attribute in Context default to false?  I'm not specifically setting any cookies...

http://tomcat.apache.org/tomcat-6.0-doc/config/context.html

Using CATALINA_BASE:   "C:\apache-tomcat-6.0.29"
Using CATALINA_HOME:   "C:\apache-tomcat-6.0.29"
Using CATALINA_TMPDIR: "C:\apache-tomcat-6.0.29\temp"
Using JRE_HOME:        "C:\Program Files\Java\jdk1.6.0_20"
Using CLASSPATH:       "C:\apache-tomcat-6.0.29\bin\bootstrap.jar"
Server version: Apache Tomcat/6.0.29
Server built:   July 19 2010 1458
Server number:  6.0.0.29
OS Name:        Windows 2003
OS Version:     5.2
Architecture:   x86
JVM Version:    1.6.0_20-b02
JVM Vendor:     Sun Microsystems Inc

Leo

Re: Context - useHttpOnly

[Mark Thomas <ma...@apache.org>]

On 28/02/2011 21:31, Leo Donahue - PLANDEVX wrote:
> A security audit of my site indicated a "Missing HttpOnly attribute in Session Cookie" problem.  If this is a security problem,

In and off itself a missing httpOnly attribute is not a security
vulnerability. It is, however, a good idea to enable it since it
provides a fair amount of protection should your web app have an XSS
vulnerability (and most apps do).

> then why does the useHttpOnly attribute in Context default to false?

Backwards compatibility. The feature was added just after a lot of other
cookie changes (to make Tomcat more specification compliant) that caused
issues for a fair number of users whose apps were not spec compliant.
The Tomcat devs voted to make it disabled by default to reduce the risk
of further backwards compatibility issues.

It is enabled by default in Tomcat 7.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org