HttpOnly Cookie configuration in Jetty Server used in UberJar is not taking effect

Support
#1

Hello Support Team,

I am trying to set the JSESSIONID cookie to be secured by setting the HttpOnly cookie flag to true, i tried the following options with no success:
(note that i am using the default UberJar deployment method provided in the official documentation)

Option 1: Configuring the Jetty-env.xml (note the sessionHandler):

<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-" "http://www.eclipse.org/jetty/configure_9_0.dtd">
<Configure id='wac' class="org.eclipse.jetty.webapp.WebAppContext">
    <Get name="sessionHandler">
        <Get name="sessionManager">
            <Set name="httpOnly" type="boolean">true</Set>
        </Get>
    </Get>
    <New id="CubaDS" class="org.eclipse.jetty.plus.jndi.Resource">
        <Arg/>
        <Arg>jdbc/CubaDS</Arg>
        <Arg>
            <New class="org.apache.commons.dbcp2.BasicDataSource">
                <Set name="driverClassName">org.postgresql.Driver</Set>
                <Set name="url">jdbc:postgresql://db/vp</Set>
                <Set name="username">**********</Set>
                <Set name="password">**********</Set>
                <Set name="maxIdle">2</Set>
                <Set name="maxTotal">20</Set>
                <Set name="maxWaitMillis">5000</Set>
            </New>
        </Arg>
    </New>
</Configure>

Option 2: Configuring the Web.xml as following (note the session-config):

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
         version="3.0">
    <!-- Application properties config files -->
    <context-param>
        <param-name>appPropertiesConfig</param-name>
        <param-value>classpath:com/company/vp/app.properties
            /WEB-INF/local.app.properties
            "file:${catalina.base}/conf/app-core/local.app.properties"</param-value>
    </context-param>
    <!--Application components-->
    <context-param>
        <param-name>appComponents</param-name>
        <param-value>com.haulmont.cuba it.nexbit.cuba.security.forgotpassword</param-value>
    </context-param>
    <listener>
        <listener-class>com.haulmont.cuba.core.sys.AppContextLoader</listener-class>
    </listener>
    <session-config>
        <cookie-config>
            <http-only>true</http-only>
            <secure>true</secure>
        </cookie-config>
    </session-config>
    <servlet>
        <servlet-name>remoting</servlet-name>
        <servlet-class>com.haulmont.cuba.core.sys.remoting.RemotingServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>remoting</servlet-name>
        <url-pattern>/remoting/*</url-pattern>
    </servlet-mapping>
</web-app>

Can you please let me know what i am doing wrong and why none of my trials is taking effect as the cookie sent to the browser still don’t have the HttpOnly flag set to true.

#2

I found the problem, i was modifying the wrong web.xml file. the correct one to modify is the web.xml file in the web module not the one in the core module

1 Like