[Esapi-user] httpOnly flag and WebSphere

Jim Manico jim.manico at owasp.org
Wed Dec 16 22:31:27 EST 2009

>  Has anyone actually tried adding the HttpOnly flag to JSESSION cookie
in a filter or such?

Yes, in Tomcat 5x, using the ESAPI filter, no problem.

- Jim

On 12/16/2009 5:17 PM, Ed Schaller wrote:
>> Wow. Shame on IBM.
> Not the worst of WAS's issues sadly.
> I tried getting this working a few months ago myself and also
> failed. Their own docs link to the owasp wiki on it but fail to mention
> anything about it. I happened on some stuff involving a custom container
> property but I couldn't get that working either.
>> Many of us were wrong about this; I'm grateful you actually dug into
>> this and have been on contact with IBM.
>> I sent them feedback on this topic already, I'll let you know if I make
>> any progress.
> If you don't let me know. This hasn't reached the top of my stack
> yet. Past experience has shown that IBM is poor in responding to
> non-customers even on security issues. I work for a customer.
>> You can fix this via an outbound Servlet filter (although, it can be
>> problematic in some environments, its not sure fire), or via a WAF (or
>> an ESAPI WAF rule).
> Has anyone actually tried adding the HttpOnly flag to JSESSION cookie
> in a filter or such? I ask because the WAS websphere plugin appends to
> the JSESSION cookie to give affinity to one app server for the session
> (for performance as sessions can be shared via a db or mem to mem). I
> haven't gotten around to setting up a test environment with plugin and
> multiple app servers to see if such a filter causes issues.
> Incidentally, how many others are working with WAS? Anyone working
> on portal?
>>>> ------>


- Jim Manico
OWASP ESAPI Project Manager

OWASP Podcast Host/Producer

More information about the Esapi-user mailing list