Hi I am working on XSS(cross site scripting) issue. my application develop on oracle weblogic portal. we use Servlet 2.5 version.
I have added below 3 lines of code in the filter for setting httponly and secure cookies.
and it is working fine.
String sessionid = req.getSession().getId();
res.setHeader("Set-Cookie", "JSESSIONID=" + sessionid + ";HttpOnly");
res.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; secure");
The issue is when I logout and login immediately in the same browser I am able to login but after that on the jsp pages I am getting session timeout issue. we use weblogic related apis. request.getuserprinical() api is returning null.. guess it is setting to null.
any idea please share.
if there are any other ways to set httponly or secure flag please help.
解决方案
Depending on the specifics of your web container, modifying container-managed session cookies within an app can cause the app server to toss the existing session and create a new one. I've observed this on Tomcat but it may be similar for Weblogic.
If you're using Servlets 3.0, you can actually instruct the app server to ensure that all session cookies are HttpOnly and Secure with the following fragments:
true
true
This is a better approach than manually hacking on the cookies with a filter.
FYI: I've also written a Java library that injects a number of security related response headers in Servlet based apps.