How to set httponly cookies in J2EE 5

Similar Messages

• How to set a cookie in the browser from an html page called via an Iview

  How to set a cookie in the browser from an html page called via an Iview
  Hello all,
  I have an issue which is causing problems. I have a snap survey (html form with submit and cookie setting) which is embedded in a url iview.
  Although the submit and the form work fine, the portal will not allow the cookie to be set it seems.
  Is there a way to allow cookies to be set from an embedded page in a url iview??
  You will make my day if you know!
  System: EP7 SP13
  Kind regards
  Alex

  Hi,
  Check this:
  http://www.oracle.com/technology/products/ias/portal/html/same_cookie_domain_with_pdkv2.html
  Cookie Basics
  Web browsers have built in rules for receiving and sending cookies. When a browser makes a request to a web server and the web server returns cookies with the response, the browser will only accept a cookie if the domain associated with the cookie matches that of the original request. Similarly, when a browser makes a subsequent request, it will only send those cookies whose domain matches that of the target web server.
  These rules are designed to ensure that information encoded in cookies is only "seen" by the web server(s) that the originator of the cookie intended. These rules also ensure that the cookie cannot be corrupted or imitated by another server. By default, the domain associated with a cookie exactly matches that of the server that created it. However, it is possible to modify the domain at the time the cookie is created. Relaxing the cookie domain increases the scope of the cookie's visibility making it available to a wider "audience" of web servers.
  For example, if a cookie is created by a.us.oracle.com, it's domain will usually be set to a.us.oracle.com. This means that the browser will only send the cookie to a.us.oracle.com. It will never send it to any other servers. However, if at the time of creation, the domain of the cookie is set to .us.oracle.com, the browser will send the cookie to any server whose domain falls within .us.oracle.com. such as portal.us.oracle.com, provider.us.oracle.com, app.us.oracle.com etc
  Regards,
  Praveen Gudapati

• How to set HTTP cookie ORA_adf_viewScope

  Hi,
  I'm recording ADF page navigation using LoadRunner. From the browser, I see that one POST request sets http cookie ORA_adf_viewScope and the subsequent GET submits this cookie as part of the HTTP header. I don't see this cookie from any of the page source. LoadRunner is not able to record this cookie as well. Hence when I replay LR script, the GET request returns wrong page.
  Any one knows how to set this cookie?
  Thanks,
  Tong
  Edited by: user708470 on Jun 18, 2009 12:07 PM

  I believe it is possible since axis adapter provides very same functionality. Let me summarize my scenario may be it helps:
  I am trying to call series of webservice lets say in a BPM. First service (login service) will provide me with a session id (in http header with key Set-Cookie) then I will call another service which has that session id in its http header with key cookie then I am going to logout. So I am testing the second part now, but it doest let me send cookie http header parameter.
  I hope I clarified a bit more my problem.
  Regards,

• How to set the cookie or session of one domain to another domain

  Hi,
  I am using tomcat server. I am facing a issue of session lost when I am moving from one domain to another domain.
  e.g. http://mydomain.com/ to http://a.mydomain.com.
  Is there any way to set the cookie or same session to sub domain in tomcat.
  Please help me. I will be highly obliged.

  a tutorial from JavaWorld
  http://www.javaworld.com/javaworld/jw-01-2001/jw-0126-servlets.html?page=1

• How to set Environment Settings for J2EE?

  hi i don't know java but know a little vb6
  i would like make and compile this:
  http://java.sun.com/developer/technicalArticles/peer/
  i downloaded all components... but can't figure out how to do:
  Table 1: Environment Settings for Compiling and Running J2EE Applications
  thanks..
  Message was edited by:
  Hopelessone

  You can't enter sites in a list to make Firefox remember names and passwords for specific sites.
  If the password manager is enabled (remember passwords is check-marked) then Firefox will ask via a pop-up from the key icon that appears on the location bar whether you want to remember that name and password and that name will then appear in the list in the password manager window.
  *http://kb.mozillazine.org/Password_Manager
  *https://support.mozilla.org/kb/make-firefox-remember-usernames-and-passwords
  Websites can use autocomplete=off to prevent Firefox from saving the name and password.<br />
  You can remove autocomplete=off with a bookmarklet to make Firefox save the name and password in such a case.
  *http://kb.mozillazine.org/User_name_and_password_not_remembered

• How to set runtime references in J2EE library DC's

  Hi,
  I'm building an custom logon module. This is well described in
  http://help.sap.com/saphelp_nw04/helpdata/en/46/3ce9402f3f8031e10000000a1550b0/content.htm
  I created the following DC:
  1. simple java project DC that contains the login module class
  2. J2EE library DC that will act as the deployable component.
  The part "Make reference to the Security Provider service of the J2EE Engine." (2b) is where i get stumped:
  http://help.sap.com/saphelp_nw04/helpdata/en/bf/93d84072378031e10000000a1550b0/content.htm
  The example adds the reference direct to the provider.xml. I don't have that option when I develop the library as a DC.
  It seems that while EAR file DC's allow the adding of runtime library references via the application-j2ee.xml file, it seems that is not possible for J2EE library DCs.
  Specifically, I'm trying to get the follwing entry into the provider.xml:
  <references>
    <reference provider-name="sap.com" strength="weak" type="interface">security_api</reference>
  I saw one workaround in the SDN where they suggest to extract the provider.xml from the SDA and manually
  add the references but this isn't really an option in our case.
  Should I be deploying 'normal' EAR files in this case ? Have I overlooked something ?
  thanks
  Michael

  Hi,
  talk about overlooking the obvious . . . The appropriate public part is present in com.sap_SAP-JEE_1.
  Adding that worked.
  Michael

• How to set exceptions for automatic cookie-clearing on closure?

  Firefox is forgetting my two-step google logins. On the google two-step verification page, there's a checkbox which says "Don't ask for codes again on this computer."
  But firefox keeps asking for codes.
  i have firefox set to clear cookies on closing.
  i also have the urls below set as exceptions, in two places:
  -in about:permissions, they are all set to allow, and also to keep offline data without asking
  -in options/privacy/exceptions
  mail.google.com
  maps.google.com
  calendar.google.com
  www.google.com
  shopping.google.com
  plus.google.com
  *.google.com
  google.com
  gmail.com
  this forum is messing up my list, above. Each url is a separate item in exceptions. The bulleted one actually starts with a star. (good job mozilla, thanks for this ancient text editor)
  how do clear all cookies EXCEPT the ones above, when i close firefox? Or, is this not a cookie problem?
  do i need to include "http://"
  this article did not help
  https://support.mozilla.org/en-US/questions/974020

  That worked. (no, it didn't)
  It's very confusing that Firefox has settings for how to handle cookies on closing in three different places. They should change that.
  "Keep until I close Firefox" seems redundant with "Clear History when Firefox closes" with "Cookies" checked. Then there are settings in "about:permissions". No way to know which one takes precedence. That's poor user-design.
  For others having this problem, here's a clear explanation. However, this is only PART of the fix, hoping to find the complete fix later in this thread.
  You CAN make FF keep only certain cookies on closing, and erase all others. Here's how to set all cookies to be cleared as soon as you close firefox, except your exceptions:
  # Go to Tools > Options > Privacy.
  # Under "History", pick "Firefox will Use custom settings for history"
  # Click "Exceptions", and add the cookies you want to keep. Click "Close"
  # Click "Keep until I close Firefox"
  # If you have "Clear History when Firefox closes" checked, then:
  * Click "Settings"
  * Uncheck "Cookies", and click "OK".
  6. Click "OK" to close the settings box.
  (now this forum has a formatting toolbar, thx! why didn't have one before?)

• How to set the domain of a cookie in localhost environment

  in some scenario i have to set the domain of cookie on my local environment,
  how can be done?????????????
  i.e http://localhost:7001/myapp/testservlet
  how to set the cookie domain for "myapp"

  Hi
  After Some googling I could find out this for you. I think it is a bug with IE.
  http://www.webmasterworld.com/forum21/11530.htm
  The idea is to use a virutal host.
  HTH
  VJ

• Survey limits, how do I set up cookies in APEX

  I have a survey on apex 3.1 and need to know if there is a easy way to keep the survey people from filling out the survey just one time from just one pc. I thank that their is the use of cookies but I don't know how to set it up.

  Hi,
  The standard login page contains an example of how to set up cookie during the page submit process:
  begin
  owa_util.mime_header('text/html', FALSE);
  owa_cookie.send(
      name=>'LOGIN_USERNAME_COOKIE',
      value=>lower(:P101_USERNAME));
  exception when others then null;
  end;If you set a "Before Header" process to something like:
  declare
  my_cookie OWA_COOKIE.cookie := OWA_COOKIE.get ('MYCOOKIE');
  begin
  return my_cookie.vals(1);
  end;this will return the value of the MYCOOKIE cookie.
  However, as the user can delete their cookies, this may, in fact, not be entirely what you need?
  One thing could look into would be the owa_util.get_cgi_env() function as this will allow you to retrieve some information about the end-user.
  Andy

• How to set JSESSION ID as secure in Weblogic 10.3.5.0

  Hi,
  I wanted to set my cookies secure, I am trying to make jsesion Id cookie also secure.
  We are using Weblogic 10.3.5.0, For all other cookies we set, cookies.setSecure(true) while creating the cookie itself as per Servlet API.
  But for JSession Id, i am not able to set it to secure true. I tried setting cookies-secure flag to true, but it didnot worded out for me.
  If any body knows how to set JsessionId cookie secure in Weblogic 10.3.5.0, Please let me know.
  Thanks in advance....
  Edited by: 949596 on Aug 28, 2012 3:24 AM

  Looks like you are right that it does not work for WebLogic 10.3.5 (as the documentation shows: http://docs.oracle.com/cd/E21764_01/web.1111/e13711/thin_client.htm#i1053779)
  To see how you have to configure it correctly, you have consult the domain.xsd file (http://xmlns.oracle.com/weblogic/1.0/domain.xsd):
  <xs:complexType name="web-serverType">
      <xs:complexContent>
        <xs:extension base="dom:deploymentType">
          <xs:sequence>
            <xs:element minOccurs="0" name="web-server-log" nillable="true" type="dom:web-server-logType"></xs:element>
            <xs:element minOccurs="0" name="frontend-host" nillable="true" type="xs:string"></xs:element>
            <xs:element default="0" minOccurs="0" name="frontend-http-port" nillable="false" type="xs:int"></xs:element>
            <xs:element default="0" minOccurs="0" name="frontend-https-port" nillable="false" type="xs:int"></xs:element>
            <xs:element default="503" minOccurs="0" name="overload-response-code" nillable="false"></xs:element>
            <xs:element default="true" minOccurs="0" name="keep-alive-enabled" nillable="false" type="xs:boolean"></xs:element>
            <xs:element default="30" minOccurs="0" name="keep-alive-secs" nillable="false"></xs:element>
            <xs:element default="60" minOccurs="0" name="https-keep-alive-secs" nillable="false"></xs:element>
            <xs:element default="30" minOccurs="0" name="post-timeout-secs" nillable="false"></xs:element>
            <xs:element default="-1" minOccurs="0" name="max-post-time-secs" nillable="false" type="xs:int"></xs:element>
            <xs:element default="-1" minOccurs="0" name="max-post-size" nillable="false" type="xs:int"></xs:element>
            <xs:element default="false" minOccurs="0" name="send-server-header-enabled" nillable="false" type="xs:boolean"></xs:element>
            <xs:element minOccurs="0" name="default-web-app-context-root" nillable="true" type="xs:string"></xs:element>
            <xs:element minOccurs="0" name="charsets" nillable="true" type="xs:string"></xs:element>
            <xs:element minOccurs="0" name="url-resource" nillable="true" type="xs:string"></xs:element>
            <xs:element default="false" minOccurs="0" name="chunked-transfer-disabled" nillable="false" type="xs:boolean"></xs:element>
            <xs:element default="true" minOccurs="0" name="use-highest-compatible-http-version" nillable="false" type="xs:boolean"></xs:element>
            <xs:element default="false" minOccurs="0" name="use-header-encoding" nillable="false" type="xs:boolean"></xs:element>
            <xs:element default="true" minOccurs="0" name="auth-cookie-enabled" nillable="false" type="xs:boolean"></xs:element>
            <xs:element default="512" minOccurs="0" name="write-chunk-bytes" nillable="false" type="xs:int"></xs:element>
            <xs:element default="false" minOccurs="0" name="wap-enabled" nillable="false" type="xs:boolean"></xs:element>
            <xs:element default="false" minOccurs="0" name="accept-context-path-in-get-real-path" nillable="false" type="xs:boolean"></xs:element>
            <xs:element default="false" minOccurs="0" name="single-signon-disabled" nillable="false" type="xs:boolean"></xs:element>
            <xs:element minOccurs="0" name="web-deployment" nillable="true" type="xs:string"></xs:element>
            <xs:element minOccurs="0" name="work-manager-for-remote-session-fetching" nillable="true" type="xs:string"></xs:element>
            <xs:element minOccurs="0" name="client-ip-header" nillable="true" type="xs:string"></xs:element>
          </xs:sequence>
        </xs:extension>
      </xs:complexContent>
    </xs:complexType>Note that the default value for the auth-cookie-enabled element is 'true'. An example server configuration looks as follows (note that the occurrence
  of where the auth-cookie-enabled element is important - as we are dealing with a sequence):
  <server>
      <name>security_server</name>
      <ssl>
        <name>security_server</name>
        <enabled>false</enabled>
      </ssl>
      <machine>Machine1</machine>
      <listen-port>8001</listen-port>
      <cluster xsi:nil="true"></cluster>
      <web-server>
        <name>security_server</name>
        <web-server-log>
          <number-of-files-limited>false</number-of-files-limited>
        </web-server-log>
        <auth-cookie-enabled>false</auth-cookie-enabled>
      </web-server>
      <listen-address>axis-into-ict.nl</listen-address>
      <server-start>
        <name>security_server</name>
        <java-vendor>Oracle</java-vendor>
        <java-home>/home/oracle/jrockit-jdk1.6.0_29-R28.2.2-4.1.0</java-home>
        <arguments>-Xms512m -Xmx512m -Xgc:throughput</arguments>
      </server-start>
  </server>When looking in the admin console, you would expect the auth-cookie-enabled element, to be configurable in the
  environment, servers, your_server, protocols, http tab, for example, when configuring some timeouts in this screen
  you get the following in the config.xml
  <server>
      <name>security_server</name>
      <ssl>
        <name>security_server</name>
        <enabled>false</enabled>
      </ssl>
      <machine>Machine1</machine>
      <listen-port>8001</listen-port>
      <cluster xsi:nil="true"></cluster>
      <web-server>
        <name>security_server</name>
        <web-server-log>
          <number-of-files-limited>false</number-of-files-limited>
        </web-server-log>
        <keep-alive-secs>60</keep-alive-secs>
        <https-keep-alive-secs>120</https-keep-alive-secs>
        <post-timeout-secs>60</post-timeout-secs>
        <auth-cookie-enabled>false</auth-cookie-enabled>
      </web-server>
      <listen-address>axis-into-ict.nl</listen-address>
      <server-start>
        <name>security_server</name>
        <java-vendor>Oracle</java-vendor>
        <java-home>/home/oracle/jrockit-jdk1.6.0_29-R28.2.2-4.1.0</java-home>
        <arguments>-Xms512m -Xmx512m -Xgc:throughput</arguments>
      </server-start>
  </server>

• How to Set up HTTPOnly and SECURE FLAG for session cookies

  Hi All,
  To fix some vulnerability issues (found in the ethical hacking , penetration testing) I need to set up the session cookies (CFID , CFTOKEN , JSESSIONID) with "HTTPOnly" (so not to access by other non HTTP APIs like Javascript). Also I need to set up a "secure flag" for those session cookies.
  I have found the below solutions.
  For setting up the HTTPOnly for the session cookies.
  1] In application.cfc we can do this by using the below code. Or we can do this in CF admin side under Server Settings » Memory Variables
       this.sessioncookie.httponly = true;
  For setting up the secure flag for the session cookies.
  2] In application.cfc we can do this by using the below code. Or we can do this in CF admin side under Server Settings » Memory Variables
       this.sessioncookie.secure = "true"
  Here my question is how we can do the same thing in Application.cfm?. (I am using ColdFusion version 10). I know we can do this using the below code , incase of HTTPOnly (for example).
  <cfapplication setclientcookies="false" sessionmanagement="true" name="test">
  <cfif NOT IsDefined("cookie.cfid") OR NOT IsDefined("cookie.cftoken") OR cookie.cftoken IS NOT session.CFToken>
    <cfheader name="Set-Cookie" value="CFID=#session.CFID#;path=/;HTTPOnly">
    <cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly">
  </cfif>
  But in the above code "setclientcookies" has been set to "false". In my application (it is an existing application) this has already been set to "true". If I change this to "false" as mentioned in the above code then ColdFusion will not automatically send CFID and CFTOKEN cookies to client browser and we need to manually code CFID and CFTOKEN on the URL for every page that uses Session. Right???. And this will be headache.Right???. Or any other way to do this.
  Your timely help is well appreciated.
  Thanks in advance.

  BKBK wrote:
  Abdul L Koyappayil wrote:
  BKBK wrote:
  You can switch httponly / secure on and off, as we have done, for CFID and CFToken. However, Tomcat automatically switches JsessionID to 'secure' when it detects that the protocol is secure, that is, HTTPS.
  I couldnt understand this. I mean how are you relating this with my question.
  When Tomcat detects that the communication protocol is secure (that is, HTTPS), it automatically switches on the 'secure' flag for the J2EE session cookie, JsessionID. Tomcat is configured to do that. Coldfusion has no say in it. So, for JsessionID, 'secure' is automatically set to 'false' when HTTP is detected and automatically set to 'true' when HTTPS is detected.
       If this is the case then why I am getting below info for jsessionid (As you mentioned it should set with SECURE flag . Right???). Note that we are using web server - Apache vFabric .And the application that we are using is in https and there is no hit is going from https to http.
  Name:
  JSESSIONID
  Content:
  782BF97F50AEC00B1EBBF1C2DBBBB92F.xyz
  Domain:
  xyz.abc.pqr.com
  Path:
  Send for:
  Any kind of connection
  Accessible to script:
  No (HttpOnly)
  Created:
  Wednesday, September 3, 2014 2:25:10 AM
  Expires:
  When the browsing session ends
  BKBK wrote:
  2]When I checked CF Admin->Server Settings->Memory Variables I found that J2EE SESSION has been set to YES. So does this mean that do we need to set HTTPOnly and SECURE flag for JSESSIONID only or for CF session cookies (CFID AND CFTOKEN ) as well ?.
  Set HTTPOnly / Secure for the session cookies that you wish to use. Each cookie has its pros and cons. For example, the JsessionID cookie is more secure and more Java-interoperable than CFID/CFToken but, from the explanation above, it forbids the sharing of sessions between HTTP and HTTPS.
       I understood that setting thos flags (httponly/secure) is as per my wish. But my question was , is it necessary to set those flags forcf session cookies (cfid and cftoken) as we have enabled J2EE session in CF admin?. Or in other way as the session management is J2EE based do we need to set those flags for CF session cookies?.
  BKBK wrote:
  3]If I need to set HTTPOnly and SECURE flag for JSESSIONID , how can I do that.
  It is sufficient to set the HTTPOnly only. As I explained above, Tomcat will automatically set 'secure' to 'true' when necessary, that is, when the protocol is HTTPS.
       I understood that it is sufficient to set httponly only.but how we will set it for jsessionid?. This is my question. Apache vFabric will alos set secure to true automatically. Any idea??

• If user disable cookie how to set and use session with URL Rewritting

  if user disable cookie how to set and use session with URL Rewritting by append session ID in url

  If cookies are disabled, then app server will automatically try to use URL rewriting for session control. Programmer's responsibility is to encode any links or redirects using
  response.encodeURL("/yourPage.jsp")
  and
  response.encodeRedirectURL("/yourPage.jsp")
  See API for details
  http://java.sun.com/j2ee/sdk_1.3/techdocs/api/javax/servlet/http/HttpServletResponse.html#encodeURL(java.lang.String))

• How to set cookie value in one page and retrieve in another page using setA

  How to set cookie value in one page and retrieve in another page using setActionListener?
  I have tried with following code srcpage.jspx->destpage.jspx
  srcpage.jspx
  <af:table value="#{bindings.DepartmentsView1.collectionModel}"
  var="emp" rows="#{bindings.EMPView1.rangeSize}"
  first="#{bindings.EMPView1.rangeStart}"
  emptyText="#{bindings.DepartmentsView1.viewable ? 'No rows yet.' : 'Access Denied.'}">
  <af:column sortProperty="EmployeeName" sortable="false"
  headerText="Cookie Testing">
  <af:commandLink text="#{emp.EmployeeName}" action="success">
  <af:setActionListener from="#{emp.EmployeeName}"
  to="#{cookie}"/>
  </af:commandLink>
  </af:column>
  </af:table>
  espage.jspx
  <af:outputText value="Test Cookie Value: #{cookie}"/>
  ,Here Test Cookie Value prints the following instead of its original String value
  {JSESSIONID=javax.servlet.http.Cookie@7da288, oracle.uix=javax.servlet.http.Cookie@399f62}
  I have passed employee name "Robert" to cookie in srcpage.jspx,but it prints "JSESSIONID....." instead of "Robert" in destpage.jspx
  Thanks in advance
  Kalee

  Hi,
  "cookie" is a reserved name. If you want to write to a session scope attribute called "cookie" then you have to call #{sessionScope.cookie}. If you want to use EL to set and read from cookies then you will have to use
  #{cookie.cookieName}
  Note that #{cookie} writes to and returns a map
  check this: http://www.informit.com/articles/article.aspx?p=30946&seqNum=7
  Frank

• How to Set cookie in AIR with HTML/Javascript

  Can someone explain or post example code as to how I can go
  about setting a cookie in AIR using HTML and Javascript?
  I have an AIR app that requires the user to login on a form
  that lives in a non-applicationSandbox. I know how to
  create/modified/delete cookies using JS and a web browser, but the
  same code returns a cookie with a null value. I'm sure I'm just
  missing one line/word of code to make this happen.
  The stripped down basics of setting and reading a cookie
  using Javascript:
  document.cookie("myCookie = yummy");
  var taste = document.cookie;
  What am I doing wrong?

  quote:
  Originally posted by:
  anirudhs
  > So if I want to use cookies in AIR html/javascript the
  end user will need to have http access, whether it be from a public
  or private server?
  Yes.
  Though I am curious to why you are using cookies to store
  state on the client? This is AIR and you have access to the
  filesystem, local SQLite DB, encrypted local store, etc.
  Thanks for your previous answer anirudhs. Finally got a
  cookie thru Air! :P
  Some scenario's do require login via cookies for our webapps
  (in my case, chat w/ nicks which also logs users by serverside js +
  php, thereby allowing the same access method for web-browser login
  to the same chat rooms). It might be a bit of a stretch for some of
  us to attempt to code filesystem/SQlite/localStore updater for our
  web-users via js + php, although I know we could perhaps embed a
  hidden flash to do the localStore, and pass data back and forth
  from js, but that's lot of extra lifting, whereas browser cookies
  are naturally designed for such logins.
  I'm confused by the safari wording thou.. does the webkit
  security model in Air only work via user activated http (ie.
  clicking links), or is there some way Air can initiate an http
  connection (say using loader) to set or get cookies? It seems a
  pain to need to force the Air user to click and open a dead link
  just to activate a cookie session, even if it's only to a hidden
  frame.

• How to set cookie expire time

  Hi I'm new to jsp,
  please tell anybody, how to set cookie expire time.
  I know about setMaxAge(); but my requirement is set the expire time until close the browser or logout.
  And one more thing is how to delete cookies while logout.
  Thanks in advance
  achchayya.

  Hey,
  I understand what you are trying to say. solution is simple dont set setMaxAge , just create cookie and use it. It will be valid till you close the browser.
  Regards,
  SRI