How to enable HttpOnly and Secure Session Cookies in EAP 6.x

Resolution

Note that these options are only to set Secure/HttpOnly flags on the JSESSIONID session cookie. It will not apply these flags to any other cookies so if you want these flags set on some other cookie, you would need to address the config or code of whatever is creating those cookies.

To enable Secure flag for JSESSIONID session cookie, you can add attribute secure="true" to the <connector> you use in the web subsystem of your standalone(-*).xml or domain.xml.

There is no global configuration for HttpOnly flag for JSESSIONID session cookie in EAP 6. This has been added for EAP 7 per How to enable HttpOnly and Secure Session Cookies in EAP 7.x. However, you can define HttpOnly flag and also Secure flag on a per context basis in the the web.xml:

<?xml version="1.0"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://java.sun.com/xml/ns/javaee web-app_3_0.xsd"
      version="3.0">

      <session-config>
          <cookie-config>
             <http-only>true</http-only>
             <secure>true</secure>
          </cookie-config>
          <tracking-mode>COOKIE</tracking-mode>
      </session-config>

</web-app>

EAP 6 does not have "jbossweb.sar", but it is a fully certified EE6 container which follows the Servlet 3.0 specification. According to the specification "All servlet containers MUST provide an ability to configure whether or not the container marks the session tracking cookie as "HttpOnly". In the case of JBoss EAP 6.x, this is made possible via a configuration in web.xml

Note: The session-config method only applies to securing the JSESSIONID, to secure other custom cookies, refer to Can a custom cookie be encrypted in JBoss EAP 6?.

If you are using EAP 6.3 or later, you can configure the above <cookie-config> in Servlet 3.0 web-fragment.xml and enable it globally by using deployment-overlay feature. Note that adding/replacing jar does not work before EAP 6.3 as explained in this article, so you need to upgrade JBoss EAP to use this method.

1. Create META-INF/web-fragment.xml like the following:

   <web-fragment version="3.0"
                 xmlns="http://java.sun.com/xml/ns/javaee" 
                 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
                 xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
       <session-config>
           <cookie-config>
               <http-only>true</http-only>
               <secure>true</secure>
           </cookie-config>
           <tracking-mode>COOKIE</tracking-mode>
       </session-config>
   </web-fragment>
   

2. Create jar file with the META-INF/web-fragment.xml

   jar cvf web-fragment-lib.jar META-INF/web-fragment.xml 
   

3. Use deployment-overlay to add the generated web-fragment-lib.jar to all deployed war:

   $ ./bin/jboss-cli.sh -c
   [standalone@localhost:9999 /] deployment-overlay add --name=web-fragment-jar --content=WEB-INF/lib/web-fragment-lib.jar=/path/to/web-fragment-lib.jar --deployments=*.war --redeploy-affected
   

   Note:

   • The configurations from multiple descriptors will be merged (web.xml or web-fragment.xml). If the element can take multiple values, the value will be a union and if there is a conflict between a web-fragment.xml and web.xml, web.xml will take precedence.
   • Make sure that your webapplication's WEB-INF/web.xml does NOT have metadata-complete="true" setting.
   • Due to known bug BZ#1235627, when the version of web.xml are 2.3 or 2.4, metadata-complete="true" is set implicitly. So, if the version of your web application's web.xml are 2.3 or 2.4, please modify and set it to the version to 2.5 or 3.0 to use this approach.