Setting httpOnly for Cookies

Setting httpOnly for Cookies

The application server that hosts JasperReports Server handles the session cookie. To prevent malicious scripts on a client from accessing the user connection, you should set the application server to use httpOnly cookies. This tells the browser that only the server may access the cookie, not scripts running on the client. This setting safeguards against cross-site scripting (XSS) attacks.

The settings for Tomcat are shown below. Consult the documentation for your application server on how to set httpOnly cookies.

Setting httpOnly for Tomcat 7

Tomcat 7 sets httpOnly on session ID cookies by default. However, on some versions of Tomcat 7, a session error will occur while running reports, with the log error “A request has been denied as a potential CSRF attack.” This is caused by a known conflict between security settings in Direct Web Remote library (DWR) 2.x and some versions of Tomcat 7.0.x:

Tomcat 7 sets httpOnly on session ID cookies to safeguard against cross-site scripting (XSS) attacks.
DWR 2.x uses session ID cookies to safeguard against cross-site request forgery (CSRF).

To work around this problem, you must modify these safeguards by doing one of the following:

Allowing requests from other domains in DWR


Disabling httpOnly for cookies in Tomcat

For more information on the security impact and relative risks of these two choices, see the Cross-site Scripting and Cross-site Request Forgery pages at the Open Web Application Security Project (OWASP).

Allowing Requests from Other Domains in DWR

DWR is a server-side component used for input controls. By default, DWR uses session ID cookies to prevent cross-site request forgery. You can disable the protection in DWR by setting the crossDomainSessionSecurity parameter for the dwr servlet in the file <tomcat>\webapps\jasperserver-pro\WEB-INF\web.xml.


Disabling httpOnly for Cookies in Tomcat 7

You can disable httpOnly in the file <tomcat>/conf/context.xml:

<Context useHttpOnly="false">

Setting httpOnly for Tomcat 6

In Apache Tomcat 6.0.19 or higher, you can enable httpOnly in the file <tomcat>/conf/context.xml:

<Context useHttpOnly="true">