glennbech.com

... On food, Java, Astronomy, Tech and other matters of importance

Top

My Social Links

What's new

March 9 - Glenn Bech
Ignorance was bliss
March 9 - Glenn Bech
A look at the Oslo opera house
February 21 - Glenn Bech
Urbex one; a late night trip to the opera house
February 21 - Glenn Bech
Urbex One
February 20 - Glenn Bech
Med hjertet på feil plass

Litt reklame....

Follow me

About me

(www.visiti.no) I work for a Norwegian IT consultancy company called Visiti. The company was established the 1st of January 2009, with Software Innovation ASA as the sole owner. The company numbers 46 consultants within the fields of consultancy, system development and project management.
Visiti AS' goal is to be a renowned provider of IT consultants, primarily aimed at the banking, insurance and public sector, but also other selected businesses where IT is a critical success factor. Visiti AS delivers services and solutions based on both Microsoft and Java technology.

I lead the company's Java division, and is also out in the field. Doing some real work, getting my hands dirty.

Saturday

30May2009

HttpOnly cookies in the Servlet 3.0 Specification

Saturday, May 30, 2009 at 04:11AM

If a web application is voulnerable to XSS attacks, your cookies can easily get in the wrong hands. One of the more popular targets for XSS attracks is of course your session cookie. In wrong hands this cookie can enable an attacker to impersonate you, get access to persoal information or even your bank account.

Back in 2002 Microsoft implemented a mechanism called "HttpOnly Cookies" in their Internet Explorer 6 SP1". There is no magic involved; just an extra flag in the Set-Cookie response header. If the browser implements this, an attempt to read the cookie from a client side script will return an empty string.

Nowdays most servers and clients protects the session cookie this way; even though Ajax and the XMLHttpRequest object is lurking in the shadows. A snake in paradise but also a different story!

A new thing in the upcoming Servlet 3.0 specification is the support for HttpOnly custom cookies.

The servlet sends cookies to the browser by using the HttpServletResponse.addCookie(javax.servlet.http.Cookie) method, which adds fields to HTTP response headers to send cookies to the browser, one at a time. The browser is expected to support 20 cookies for each Web server, 300 cookies total, and may limit cookie size to 4 KB each.

In the new servlet specfication, the Cookie class has the following methods;

void setHttpOnly(boolean isHttpOnly)
boolean isHttpOnly()

Great news for security aware web developers!

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

Post a New Comment

Enter your information below to add a new comment.

My response is on my own website »

Author:

Author Email (optional):

Author URL (optional):

Post:

↓ | ↑

Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>

mail@glennbech.com | +47 (99356459) | glenn.bech@visiti.no