Re: Adding HTTPOnly support to Tomcat

Sun, 09 Mar 2008 19:56:58 -0700 

haven't forgotten about you, it's still on the todo list.

Filip

Jim Manico wrote:

Gentlemen,
I'd like to make a suggestion to add HTTPOnly support to Tomcat 5.5 (for starters). This is a significant security enhancement that will assist in preventing XSS attacks. http://msdn2.microsoft.com/en-us/library/ms533046.aspx
Since the javax core is a "sacred" portion of the codebase, I'd like to get your feedback on my solution proposal. It involves changes to the org.apache.catalina.connector.Request.java, org.apache.catalina.connector.Response.java and org.apache.tomcat.util.http.ServerCookie.java.
org.apache.catalina.connector.Request.java includes the following code to set the JSESSIONID. addCookieInternal is where the cookie magic happens. 

// Creating a new session cookie based on that session
       if ((session != null) && (getContext() != null)
              && getContext().getCookies()) {
           Cookie cookie = new Cookie(Globals.SESSION_COOKIE_NAME,
                                      session.getIdInternal());
           configureSessionCookie(cookie);
          * response.addCookieInternal(cookie);*
       }
Next we would need to modify the functionality of response.addCookieInternal in some way from org.apache.catalina.connector.Response.java. These are my suggested backward-compatible changes: 

*public void addCookieInternal(final Cookie cookie) {
   addCookieInternal(cookie, false);
**}
*
*public void addCookieInternal(final Cookie cookie, boolean HTTPOnly) {
*
       if (isCommitted())
           return;

       final StringBuffer sb = new StringBuffer();
       //web application code can receive a IllegalArgumentException
       //from the appendCookieValue invokation
       if (SecurityUtil.isPackageProtectionEnabled()) {
           AccessController.doPrivileged(new PrivilegedAction() {
               public Object run(){
                   ServerCookie.appendCookieValue
                       (sb, cookie.getVersion(), cookie.getName(),
                        cookie.getValue(), cookie.getPath(),
                        cookie.getDomain(), cookie.getComment(),
                        cookie.getMaxAge(), cookie.getSecure());
                   return null;
               }
           });
       } else {
           ServerCookie.appendCookieValue
(sb, cookie.getVersion(), cookie.getName(), cookie.getValue(), cookie.getPath(), cookie.getDomain(), cookie.getComment(), 
                    cookie.getMaxAge(), cookie.getSecure());
       }
* //of course, we really need to modify ServerCookie, but this is the general idea 
       if (HTTPOnly) {
         sb.append("; HttpOnly");
       }
*
       //if we reached here, no exception, cookie is valid
// the header name is Set-Cookie for both "old" and v.1 ( RFC2109 ) 
       // RFC2965 is not supported by browsers and the Servlet spec
       // asks for 2109.
       addHeader("Set-Cookie", sb.toString());

       cookies.add(cookie);
   }


Any thoughts would be greatly appreciated.

- Jim

------------------------------------------------------------------------

No virus found in this incoming message.
Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.21.6/1316 - Release Date: 3/6/2008 6:58 PM 


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to