How to configure JBoss 4.0.* to make session cookie HttpOnly and secure?

问题

i tried

< Context cookies="true" crossContext="true">

< SessionCookie secure="true" httpOnly="true" />

in context.xml but it is not recognising in jboss4.0

and i tried in java program

String sessionid = req.getSession().getId();
 resp.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + ";Path="+req.getContextPath()+"; Secure; Domain="+req.getServerName()+"; HttpOnly");

for 2nd request it not allowing to get session validation object for session so it is showing session expired page

and i tried with filters

public void doFilter(final ServletRequest req, final ServletResponse res, final FilterChain filterChain) throws IOException, ServletException {

                final HttpServletResponse response = (HttpServletResponse) res;

                final HttpServletRequest request = (HttpServletRequest) req;
                    System.out.println(response.containsHeader("SET-COOKIE"));
                if (response.containsHeader("Set-Cookie")) {  // *******

                    response.setHeader("SET-COOKIE", "JSESSIONID=" + request.getSession().getId() + "; Path=" + request.getContextPath()

                            + "; HttpOnly" + (request.isSecure()?SECURE_FLAG : ""));

                }

                filterChain.doFilter(req, res);

        }

---

IF I use above filter response.containsHeader("SET-COOKIE") or response.containsHeader("Set-Cookie") is always return false

can any one give me solution for jboss 4.0 Jsessionid flag configuration as secure and httponly

回答1:

I can confirm that for JBoss 4.0.3 it works by manipulating the header in Filter implementation class. This works for me:

String sessionid = ((HttpServletRequest) request).getSession().getId();
((HttpServletResponse)response).setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; HttpOnly");

I've yet to confirm as to why a solution through context.xml is not supported. I have not found any references, only blog posts claiming that the only way to do it in JBoss 4 is programmatically. http://syams18.blogspot.se/2012/01/setting-httponly-in-jboss-httponly-is.html

回答2:

Under server/default/deploy/jboss-web.deployer/conf/web.xml look for a filter that calls the org.jboss.web.tomcat.filters.ReplyHeaderFilter and add the set cookie params during initialization i.e

<filter>
  <filter-name>CommonHeadersFilter</filter-name>
  <filter-class>org.jboss.web.tomcat.filters.ReplyHeaderFilter</filter-class>
  <init-param>
     <param-name>X-Powered-By</param-name>
     <param-value>Servlet 2.4; JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=200807181417)/JBossWeb-2.0;</param-value>
  </init-param>     
    <init-param>
        <param-name>Set-Cookie</param-name>
        <param-value>Secure; HttpOnly</param-value>
    </init-param>

来源：https://stackoverflow.com/questions/29146465/how-to-configure-jboss-4-0-to-make-session-cookie-httponly-and-secure