This content has been marked as final. Show 3 replies
Hi, did you find a solution for the cookie problem? please let me know, I want to do exactly the same, I was trying creating my customClass that extends from HttpServletResponseWrapper, overriding "public void addCookie(Cookie cookie)" and inside this method, placing something like:
org.apache.commons.httpclient.Cookie c =
addHeader("Set-Cookie", c.toExternalForm() + "; httpOnly");
I still looking for a solution, any comment will help!!
Consider setting this in your Apache or Load Balancer tier for all cookies.
It is best to make your website 100% HTTPs. Doing that will allow you to set all cookies as secure, and most, if not all, as HTTPonly as well (unless you are modifying them on the client side somehow).
If you can't set it in Apache or Load Balancer, a servlet filter that adds on the HTTPonly and secure paramaters is your best bet. There are many examples of this "out there". It doesn't have to be anything specific to ATG
My most recent information about the new security features that Oracle brought with new updates, says that the implementation of httpOnly is now available in Oracle ATG 10.1 (not in the patch for version 9.4) including other good fixes.
Please, look at this:
Basically, it just has some links into:
the documentation for the new Oracle ATG 10.1 product. Here are the links:
SecurityServlet and ParameterValidator
HttpOnly Attribute for Cookies
So, you will have to patch up to get these improvements.
BTW, this version update brings a good PCI Compliance security fixes (are about thirteen).