Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: HttpOnly and J2EE containers

from [Jeff Williams] Network Security [Permanent Link]
Subject: RE: HttpOnly and J2EE containers
Date: Fri, 17 Feb 2006 21:06:59 -0500 
The J2EE Cookie interface doesn't support HttpOnly.  And there's no way to
do any kind of J2EE API injection, it validates the cookie value too well.
The only way to do it is to set up the entire Set-Cookie header by hand. Try
something like this...

    response.setHeader( "Set-Cookie","name1=value1; HttpOnly" );
 
 
--Jeff



On 2/14/06, Pilon Mntry <pilonmntry@yahoo.com> wrote: 
Lately, I needed to add HttpOnly cookie parameter to
Java System Application Server PE and had to use

...
<property name="cookiePath" value="/mypath;
HttpOnly;">
...

hack in sun-web.xml file. Well, Actually this didn't
work (obviously in IE, which uses v0 cookie parser and
only one supporting HttpOnly) and I had to tweak the
above "a little bit".

Anyways, I searched about this on the net, but
couldn't find anything solid except that Resin and
some other AS has made this operation easy... 

Now, my question is do you guys know an easy way to
incorporate this cookie parameter in other J2EE
containers, such as OracleiAS or Websphere, WebLogic,
etc. Maybe more a standard way than an easy way... 

-pilon



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com 

-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics

ALERT: "How A Hacker Launches A Web Application Attack!"
Step-by-Step - SPI Dynamics White Paper 
Learn how to defend against Web Application Attacks with real-world
examples of recent hacking methods such as: SQL Injection, Cross Site
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------



-- 

--pl 


-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics

ALERT: "How A Hacker Launches A Web Application Attack!" 
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world 
examples of recent hacking methods such as: SQL Injection, Cross Site 
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: FW: Tools comparison and evaluation question (AppScan), Joe White
Next by Date:  Re: Fortify Source Code Auditing Suite and the like, Dhruv Soi
Previous by Thread:  HttpOnly and J2EE containers, Pilon Mntry
Next by Thread:  RE: HttpOnly and J2EE containers, Pilon Mntry
Indexes:  [Date] [Thread] [Top] [All Lists]