Bug 44382

Summary: Need to add support for HTTPOnly session cookie parameter
Product: Tomcat 5 Reporter: Jim Manico <jim>
Component: Servlet & JSP APIAssignee: Tomcat Developers Mailing List <dev>
Severity: enhancement CC: jim, sunbiz
Priority: P1    
Version: Unknown   
Target Milestone: ---   
Hardware: All   
OS: All   
URL: http://msdn2.microsoft.com/en-us/library/ms533046.aspx
Attachments: Path to ServerCookie to include HttpOnly option
Patch for Request to include HttpOnly support from SessionCookie
Patch for Response to include HttpOnly support from SessionCookie and Request
Patch for HttpOnly support in javax.servlet.http.Cookie
Patch to ServerCookie to include HttpOnly option
Port of httpOnly to 5.5.x

Description Jim Manico 2008-02-08 09:43:03 UTC
JavaScript currently has access to the JSESSIONID cookie, access that is never
required of any application. IE 6.0 and Firefox (as of now support the
HTTPOnly flag than when added to a cookie will prevent document.cookie calls
from JavaScript blocking a large class of security vulnerabilities such as XSS
(Cross Site Scripting). I would like to add HTTOnly support to the Tomcat
servlet session manager, turned ON by default, but give the server
manager/programmer the ability to turn this off. Although this is an
enhancement, this is really a needed security patch that will only add to the
glory of Tomcat Servlet support.
Comment 1 Jim Manico 2008-03-30 02:42:32 UTC
Created attachment 21735 [details]
Path to ServerCookie to include HttpOnly option

This patch will effect great change to many classes in Tomcat. But the change is simple, and is compliant with the original source on this functionality enhancement at http://msdn2.microsoft.com/en-us/library/ms533046.aspx
Comment 2 Jim Manico 2008-03-30 02:53:41 UTC
Created attachment 21736 [details]
Patch for Request to include HttpOnly support from SessionCookie
Comment 3 Jim Manico 2008-03-30 02:54:14 UTC
Created attachment 21737 [details]
Patch for Response to include HttpOnly support from SessionCookie and Request
Comment 4 Jim Manico 2008-03-30 03:05:15 UTC
Supported browsers :     
* IE 7.0
* Firefox >=
* Firefox 3.0 beta
* Camino 1.5.4
* IE 6.0 sp1+
* Opera 9.50 beta+

Safari underway, see: http://bugs.webkit.org/show_bug.cgi?id=10957
Comment 5 Jim Manico 2008-03-31 12:44:09 UTC
Created attachment 21741 [details]
Patch for HttpOnly support in javax.servlet.http.Cookie
Comment 6 Jim Manico 2008-03-31 12:52:58 UTC
Created attachment 21742 [details]
 Patch to ServerCookie to include HttpOnly option

Since this patch changes today's behavior, added code to provide backwards compatibility that defaults to HttpOnly being turned off for this initial release. Would like to default this to on, someday.
Comment 7 Saptarshi 2008-07-11 15:58:57 UTC
All the major browsers supporting it... It is useful for the security of web applications and can help prevent XSS (if not XST). This isn't really a big change to the code and should be done quickly.

And if anyone is thinking its only a Microsoft hack, then today we shouldn't have AJAX in web programming.
Comment 8 david jencks 2008-07-12 09:28:32 UTC
The Servlet 3.0 spec EDR includes support for HttpOnly cookies.  I've come up with an untested 3.0 EA api jar for geronimo including the api change.

Source code at https://svn.apache.org/repos/asf/geronimo/specs/trunk/geronimo-servlet_3.0_spec

snapshots at http://people.apache.org/repo/m2-snapshot-repository/org/apache/geronimo/specs/geronimo-servlet_3.0_spec/1.0-EA-SNAPSHOT/
Comment 9 Jim Manico 2008-07-24 18:47:23 UTC
Thank you for your support to see my HttpOnly session id patch get pushed into a future release of Tomcat. Several of the committers tell me that this patch will indeed go live in a future release - after the recent dramatic and dramatic changes to cookie encoding settles down.

The patches I submitted are rather simple, this is not rocket science. (And it will indeed break very old/obscure browsers like IE 5.5 on Mac). My patch does not change anything by default - it requires a configuration change to make the JSESSIONID cookies HttpOnly. I prefer secure by default, but I think this is a fair compromise to encourage the powers-that-be to push this live, hopefully soon. 
Comment 10 Damien Bonvillain 2008-07-25 00:27:00 UTC
> And it will indeed break very old/obscure browsers like IE 5.5 on Mac

If only :-) But IE on Mac never reached 5.5, it stopped at 5.02.
Comment 11 Jim Manico 2008-07-25 00:30:08 UTC
Actually, the final mac IE version was 5.2.3, see  http://en.wikipedia.org/wiki/Internet_Explorer_for_Mac but you got my point, I hope. HttpOnly in VERY rare cases "breaks the browser" so my patch only enables HttpOnly session cookies if a configuration file change is made.
Comment 12 Mark Thomas 2008-09-13 10:44:28 UTC
I have applied a variation of your patches to trunk and will propose them for 6.0.x and 5.5.x shortly. The main differences are:

1. No change to the Servlet API classes. Whilst this is in the 3.0 draft, the API isn't defined and whilst I am reasonably sure what it will look like I don't want to risk API breakage when the 3.0 API is published.

2. It is enabled by default in trunk and will be enabled by default in Tomcat 7.x. I will propose the same default for 6.0.x and 5.5.x but we'll need to see which way the votes go.

3. It is configured via the Manager. Where there is an option to use the standard Tomcat configuration mechanism I prefer to use it. System properties should be reserved for configuration that doesn't fit with a standard component or would require some ugly hacks to do so. This was a nice, simple fit with the Manager.
Comment 13 Jim Manico 2008-09-14 07:00:35 UTC
Mark, thank you! I'm a big fan of the choices you made here in terms of proposing default-on for tomcat 5/6 and easy configuration via the Tomcat Manager.

Right ON! I can't wait to see this go live!
Comment 14 Mark Thomas 2008-09-14 07:11:43 UTC
I don't think I was too clear in my previous comment. Configuration isn't via the Manager app it is via the Manager element that may be placed within a Context element in the configuration files. ie a new attribute has been added to http://tomcat.apache.org/tomcat-6.0-doc/config/manager.html
Comment 15 Jim Manico 2008-09-14 14:19:30 UTC
Thanks for the clarification, Mark. If I'm reading this right - you are placing the HttpOnly configuration option within the context of one virtual host instead of a global system property?
Comment 16 Mark Thomas 2008-09-14 15:57:13 UTC
With the current trunk implementation, you would need to do the following to disable HttpOnly

  <Manager useHttpOnly="false" />

As with any Context configuration you could set this for an individual Context, all Contexts within a host or every Context within a Tomcat instance.
Comment 17 Mark Thomas 2009-03-01 04:49:28 UTC
This has been implemented in 6.0.x and will be included in 6.0.19 onwards. It is disabled by default so you need to use:

  <Manager useHttpOnly="true" />

to enable it.
Comment 18 Jim Manico 2009-03-05 12:47:18 UTC
As the original poster of the feature request back in Feb 08, I want to extend my sincere gratitude to the Mark and the Tomcat team for adding this patch to trunk! 

Thank you, Gents!
Comment 19 Mark Thomas 2009-04-16 03:23:37 UTC
Created attachment 23497 [details]
Port of httpOnly to 5.5.x

Note that the implementation was subsequently changed to do the configuration on the Context element rather than the Manager.

I have also attached a port of the Tomcat 6.0.x implementation to Tomcat 5.5.x
Comment 20 Dillon Sellars 2009-06-11 09:32:19 UTC
(In reply to comment #17)
> This has been implemented in 6.0.x and will be included in 6.0.19 onwards. It
> is disabled by default so you need to use:
> <Context>
>   <Manager useHttpOnly="true" />
> </Context>
> to enable it.

This was moved out of Manager with http://svn.apache.org/viewvc?rev=750918&view=rev but is still documented in webapps/docs/config/manager.xml - missed removing the documentation in the Standard Manager Implementation section. 

This is Context only, i.e. the following will do the trick:

<Context useHttpOnly="true">
Comment 21 Mark Thomas 2009-06-11 09:44:45 UTC
Sorry about that. I just removed it from trunk and 6.0.x
Comment 22 Mark Thomas 2009-06-13 13:27:39 UTC
This has been applied to 5.5.x and will be included in 5.5.28 onwards.
Comment 23 August Detlefsen 2010-01-31 12:23:31 UTC
(In reply to comment #22)
> This has been applied to 5.5.x and will be included in 5.5.28 onwards.

On Tomcat 5.5.28, when using context.xml.default to setup attributes for all contexts, this appears to have no effect. For example, in my context.xml.default for a particular host I have: 

<Context reloadable="true" swallowOutput="true" crossContext="true" allowLinking="true" unpackWAR="false" useHttpOnly="true">

And yet if I setup a page with: 

<script type="text/javascript">

I still get cookie information written to the output: 

JSESSIONID=A7FB0749E8CDE79E7687E2DABF932BE2; JSESSIONID=7924B5D74D10AD458191C6292196C87A 

Do I need to specify this individually for every context?