How to set HTTPOnly for the cookie for JBOSS EAP 6.4

835 views
Skip to first unread message

Monika Tiwari

unread,
Aug 17, 2016, 4:04:02 AM8/17/16
to OWASP ZAP User Group
By referring this OWASP recommendations, i tried using HttpOnly flag with my JSESSIONID ,
but  I am unable to do, as there is no solution given for JBOS 6 and above .
Please provide me the correct sollution.

I tried this:

In web.xml

<session-config>
        <session-timeout>
           30
        </session-timeout>
        <cookie-config>
            <http-only>true</http-only>
            <secure>true</secure>  
        </cookie-config>
     <tracking-mode>COOKIE</tracking-mode>
  </session-config>  

by doing this my purpose gets solved but it generate new JSESSIONID for each request, unable to persist the session .
:-)

kingthorin+owaspzap

unread,
Aug 17, 2016, 5:58:51 AM8/17/16
to OWASP ZAP User Group
https://www.google.ca/search?q=jbos+6+httponly+jsession
Reply all
Reply to author
Forward
0 new messages