[Esapi-user] httpOnly flag and WebSphere

Jim Manico jim.manico at owasp.org
Wed Dec 16 17:46:55 EST 2009


Mungo,

Wow. Shame on IBM.

http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg1PK42881
<http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg1PK42881>

Many of us were wrong about this; I'm grateful you actually dug into
this and have been on contact with IBM.

I sent them feedback on this topic already, I'll let you know if I make
any progress.

You can fix this via an outbound Servlet filter (although, it can be
problematic in some environments, its not sure fire), or via a WAF (or
an ESAPI WAF rule).

If you are struggling with a solution using ESAPI, let us know if we can
help.

Cheers,
Jim Manico




> Hi,
> Apologies if this is slightly off-topic but I think those interested
> follow this list.
> Several blogs quote IBM as saying they added support for httpOnly
> cookies in WebSphere last year.
> After trying and failing to get this to work for session cookies, I've
> had confirmation from IBM that this does not include cookies set
> server-side (including JSESSIONID).
> All it does is provide some sort of support when the flag is set by
> the client, which as I understand it is not the main point for XSS
> protection.
> So anyone keen to persuade them to do this properly - feel free to
> have another go!
> Whether an ESAPI filter should pick this up, or alternative methods
> (we're looking at an application firewall rule) I'll leave to the
> experts to debate.
> Thanks and keep up the great work!
> Mungo Carstairs
> Senior Systems Developer
> Business Solutions
> Standard Life Employee Services Limited
> http://www.standardlife.com
>
> Tel:        +44 (0)131 246 2785
>
>
> This e-mail is confidential and, if you are not the intended
> recipient, please return it to us and do not retain or disclose it. We
> filter and monitor e-mails in order to protect our system and the
> integrity, confidentiality and availability of e-mails. We cannot
> guarantee that e-mails are risk free and are not responsible for any
> related damage or unauthorised alteration of e-mails by third parties
> after sending.
>
> For more information on Standard Life group, visit our website
> http://www.standardlife.com/
>
> Standard Life plc (SC286832), Standard Life Assurance Limited*
> (SC286833) and Standard Life Employee Services Limited (SC271355) are
> all registered in Scotland at Standard Life House, 30 Lothian Road,
> Edinburgh EH1 2DH. *Authorised and regulated by the Financial Services
> Authority. 0131 225 2552. Calls may be recorded/monitored. Standard
> Life group includes Standard Life plc and its subsidiaries.
>
> Please consider the environment. Think - before you print.
>
>
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user
>   


-- 

- Jim Manico
OWASP ESAPI Project Manager
http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API

OWASP Podcast Host/Producer
http://www.owasp.org/index.php/OWASP_Podcast

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20091216/c7683f53/attachment.html 


More information about the Esapi-user mailing list