[Esapi-user] httpOnly flag and WebSphere

Ed Schaller schallee at darkmist.net
Wed Dec 16 22:17:28 EST 2009

> Wow. Shame on IBM.

Not the worst of WAS's issues sadly.

I tried getting this working a few months ago myself and also
failed. Their own docs link to the owasp wiki on it but fail to mention
anything about it. I happened on some stuff involving a custom container
property but I couldn't get that working either.

> Many of us were wrong about this; I'm grateful you actually dug into
> this and have been on contact with IBM.
> I sent them feedback on this topic already, I'll let you know if I make
> any progress.

If you don't let me know. This hasn't reached the top of my stack
yet. Past experience has shown that IBM is poor in responding to
non-customers even on security issues. I work for a customer.

> You can fix this via an outbound Servlet filter (although, it can be
> problematic in some environments, its not sure fire), or via a WAF (or
> an ESAPI WAF rule).

Has anyone actually tried adding the HttpOnly flag to JSESSION cookie
in a filter or such? I ask because the WAS websphere plugin appends to
the JSESSION cookie to give affinity to one app server for the session
(for performance as sessions can be shared via a db or mem to mem). I
haven't gotten around to setting up a test environment with plugin and
multiple app servers to see if such a filter causes issues.

Incidentally, how many others are working with WAS? Anyone working
on portal?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
Url : https://lists.owasp.org/pipermail/esapi-user/attachments/20091216/989bb6f9/attachment.bin 

More information about the Esapi-user mailing list