The settings for Tomcat are shown below. Consult the documentation for your application server on how to set httpOnly cookies.
Setting httpOnly for Tomcat 7
Tomcat 7 sets httpOnly on session ID cookies by default. However, on some versions of Tomcat 7, a session error will occur while running reports, with the log error “A request has been denied as a potential CSRF attack.” This is due to a known conflict between security settings in Direct Web Remote library (DWR) 2.x and some versions of Tomcat 7.0.x:
• | Tomcat 7 sets httpOnly on session ID cookies to safeguard against cross-site scripting (XSS) attacks. |
• | DWR 2.x uses session ID cookies to safeguard against cross-site request forgery (CSRF). |
To work around this problem, you must modify these safeguards by doing one of the following:
• | Allowing requests from other domains in DWR |
OR
• | Disabling httpOnly for cookies in Tomcat |
For more information on the security impact and relative risks of these two choices, see, for example, the Cross-site Scripting and Cross-site Request Forgery pages at the Open Web Application Security Project (OWASP).
Allowing Requests from Other Domains in DWR
DWR is a server-side component used for input controls. By default, DWR uses session ID cookies to prevent against cross-site request forgery. You can disable the protection in DWR by setting the crossDomainSessionSecurity parameter for the dwr servlet in the file <tomcat>webappsjasperserver-proWEB-INFweb.xml:
Disabling httpOnly for Cookies in Tomcat 7
You can disable httpOnly in the file <tomcat>/conf/context.xml:
Setting httpOnly for Tomcat 6
In Apache Tomcat 6.0.19 or higher, you can enable httpOnly in the file <tomcat>/conf/context.xml:
Recommended Comments
There are no comments to display.