[Esapi-user] httpOnly flag and WebSphere

Mungo Carstairs mungo_carstairs at standardlife.com
Wed Dec 16 09:14:24 EST 2009

Apologies if this is slightly off-topic but I think those interested 
follow this list.
Several blogs quote IBM as saying they added support for httpOnly cookies 
in WebSphere last year.
After trying and failing to get this to work for session cookies, I've had 
confirmation from IBM that this does not include cookies set server-side 
(including JSESSIONID).
All it does is provide some sort of support when the flag is set by the 
client, which as I understand it is not the main point for XSS protection.
So anyone keen to persuade them to do this properly - feel free to have 
another go!
Whether an ESAPI filter should pick this up, or alternative methods (we're 
looking at an application firewall rule) I'll leave to the experts to 
Thanks and keep up the great work!
Mungo Carstairs
Senior Systems Developer
Business Solutions
Standard Life Employee Services Limited

Tel:    +44 (0)131 246 2785

This e-mail is confidential and, if you are not the intended recipient, 
please return it to us and do not retain or disclose it. We filter and 
monitor e-mails in order to protect our system and the integrity, 
confidentiality and availability of e-mails. We cannot guarantee that 
e-mails are risk free and are not responsible for any related damage or 
unauthorised alteration of e-mails by third parties after sending.

For more information on Standard Life group, visit our website 

Standard Life plc (SC286832), Standard Life Assurance Limited* (SC286833) 
and Standard Life Employee Services Limited (SC271355) are all registered 
in Scotland at Standard Life House, 30 Lothian Road, Edinburgh EH1 2DH. 
*Authorised and regulated by the Financial Services Authority. 0131 225 
2552. Calls may be recorded/monitored. Standard Life group includes 
Standard Life plc and its subsidiaries.

Please consider the environment. Think - before you print.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20091216/221aa88b/attachment.html 

More information about the Esapi-user mailing list