Adding HTTPOnly support to Tomcat

Sun, 09 Mar 2008 12:36:50 -0700 

Gentlemen,
I'd like to make a suggestion to add HTTPOnly support to Tomcat 5.5 (for starters). This is a significant security enhancement that will assist in preventing XSS attacks. http://msdn2.microsoft.com/en-us/library/ms533046.aspx 


Since the javax core is a "sacred" portion of the codebase, I'd like to 
get your feedback on my solution proposal. It involves changes to the 
org.apache.catalina.connector.Request.java, 
org.apache.catalina.connector.Response.java and 
org.apache.tomcat.util.http.ServerCookie.java.



org.apache.catalina.connector.Request.java includes the following code 
to set the JSESSIONID. addCookieInternal is where the cookie magic happens.


// Creating a new session cookie based on that session
       if ((session != null) && (getContext() != null)
              && getContext().getCookies()) {
           Cookie cookie = new Cookie(Globals.SESSION_COOKIE_NAME,
                                      session.getIdInternal());
           configureSessionCookie(cookie);
          * response.addCookieInternal(cookie);*
       }


Next we would need to modify the functionality of 
response.addCookieInternal in some way from 
org.apache.catalina.connector.Response.java. These are my suggested 
backward-compatible changes:


*public void addCookieInternal(final Cookie cookie) {
   addCookieInternal(cookie, false);
**}
*
*public void addCookieInternal(final Cookie cookie, boolean HTTPOnly) {
*
       if (isCommitted())
           return;

       final StringBuffer sb = new StringBuffer();
       //web application code can receive a IllegalArgumentException
       //from the appendCookieValue invokation
       if (SecurityUtil.isPackageProtectionEnabled()) {
           AccessController.doPrivileged(new PrivilegedAction() {
               public Object run(){
                   ServerCookie.appendCookieValue
                       (sb, cookie.getVersion(), cookie.getName(),
                        cookie.getValue(), cookie.getPath(),
                        cookie.getDomain(), cookie.getComment(),
                        cookie.getMaxAge(), cookie.getSecure());
                   return null;
               }
           });
       } else {
           ServerCookie.appendCookieValue

               (sb, cookie.getVersion(), cookie.getName(), 
cookie.getValue(),
                    cookie.getPath(), cookie.getDomain(), 
cookie.getComment(),

                    cookie.getMaxAge(), cookie.getSecure());
       }

*        //of course, we really need to modify ServerCookie, but this is 
the general idea

       if (HTTPOnly) {
         sb.append("; HttpOnly");
       }
*
       //if we reached here, no exception, cookie is valid
       // the header name is Set-Cookie for both "old" and v.1 ( RFC2109 )
       // RFC2965 is not supported by browsers and the Servlet spec
       // asks for 2109.
       addHeader("Set-Cookie", sb.toString());

       cookies.add(cookie);
   }


Any thoughts would be greatly appreciated.

- Jim






















					Reply via email to