Red Hat Training
A Red Hat training course is available for Red Hat JBoss Enterprise Application Platform
15.6. About http-only Session Management Cookies
The
http-only
attribute for session management cookies mitigates the risk of security vulnerabilities by restricting access from non-HTTP APIs (such as JavaScript). This restriction helps mitigate the threat of session cookie theft via cross-site scripting attacks. On the client side, the cookies cannot be accessed using JavaScript or other scripting methods. This applies only to session management cookies and not other browser cookies. By default, the http-only
attribute is enabled.
If it has not yet been done, you need to add SSO to the virtual server in the web subsystem to use the
http-only
attribute.
Example 15.4. Add SSO to the Virtual Server
Enter the following Management CLI command to add SSO to the virtual server in the web subsystem.
/subsystem=web/virtual-server=default-host/configuration=sso:add
Note
If this command results in a "JBAS014803: Duplicate resource" failure, it means SSO is already added to the virtual server configuration. You can ignore this error and continue.
Note
JSESSIONID and JSESSIONIDSSO are session tracking cookies. By default, they are
http-only
and must not be accessed by scripts.
Example 15.5. Verify the http-only
Attribute
Enter the following Management CLI command to verify the value of the
http-only
attribute.
/subsystem=web/virtual-server=default-host/configuration=sso:read-resource
{
"outcome" => "success",
"result" => {
"cache-container" => undefined,
"cache-name" => undefined,
"domain" => undefined,
"http-only" => true,
"reauthenticate" => undefined
},
"response-headers" => {"process-state" => "reload-required"}
}
Example 15.6. Enable the http-only
Attribute
Enter the following Management CLI command to enable the
http-only
attribute.
/subsystem=web/virtual-server=default-host/configuration=sso:write-attribute(name=http-only,value=true)