3 Replies Latest reply: May 7, 2012 2:04 PM by 935607 RSS

    Profile cookie setting for httponly and secure

      Hi All,

      We have a requirement of setting the cookie value for DYN_USER_ID with 'httponly' and 'secure' modes.

      Currently our site sets the cookies as: “Set-Cookie: DYN_USER_ID=443786224; Path=/” on both HTTP and HTTPS.

      But we need it as:
      “Set-Cookie: DYN_USER_ID=443786224; Path=/; httponly” on HTTP

      “Set-Cookie: DYN_USER_ID=443786224; Path=/; secure; httponly” on HTTPS.

      I found in /atg/userprofiling/CookieManager that this component sets the profile cookie values.

      Is there a way if we can customize this to incorporate the httponly or secure accordingly ?

      Could anyone please advise how can we do this ?

      Thanks in advance,
        • 1. Re: Profile cookie setting for httponly and secure
          Hi, did you find a solution for the cookie problem? please let me know, I want to do exactly the same, I was trying creating my customClass that extends from HttpServletResponseWrapper, overriding "public void addCookie(Cookie cookie)" and inside this method, placing something like:

                         org.apache.commons.httpclient.Cookie c =
                         addHeader("Set-Cookie", c.toExternalForm() + "; httpOnly");

          I still looking for a solution, any comment will help!!

          • 2. Re: Profile cookie setting for httponly and secure
            Consider setting this in your Apache or Load Balancer tier for all cookies.

            It is best to make your website 100% HTTPs. Doing that will allow you to set all cookies as secure, and most, if not all, as HTTPonly as well (unless you are modifying them on the client side somehow).

            If you can't set it in Apache or Load Balancer, a servlet filter that adds on the HTTPonly and secure paramaters is your best bet. There are many examples of this "out there". It doesn't have to be anything specific to ATG
            • 3. Re: Profile cookie setting for httponly and secure
              good news,

              My most recent information about the new security features that Oracle brought with new updates, says that the implementation of httpOnly is now available in Oracle ATG 10.1 (not in the patch for version 9.4) including other good fixes.

              Please, look at this:

              Basically, it just has some links into:
              the documentation for the new Oracle ATG 10.1 product. Here are the links:

              SecurityServlet and ParameterValidator


              HttpOnly Attribute for Cookies

              So, you will have to patch up to get these improvements.

              BTW, this version update brings a good PCI Compliance security fixes (are about thirteen).