Enabling httpOnly for session cookies

As a best practice, you can enable httpOnly to protect session cookies. By using httpOnly cookies, you can prevent cookies from being manipulated with JavaScript within the browser and reduce the possibility of cross-site scripting attacks and cookie theft.

Before you begin

Complete the following task:

Ensure that you are working on the WebSphere Application Server V7.0 Fix Pack 37 or a more recent version. This Fix Pack includes the interim fix for APAR PI25144, which enables the use of wildcards in the cookie names.

About this task

Session management cookies are good candidates for httpOnly. Avoid enabling httpOnly on cookies that are used in the storefront, such as WC_CartTotal_ and WC_CartOrderId_ in the starter stores.

Tip: Use a tool such as the Firebug add-on for the Mozilla Firefox browser to view the list of cookies that exist on the storefront. This tool can also let you see whether any cookies have the httpOnly setting enabled.

Procedure

In the WebSphere Application Server administrative console, expand Servers > Server types. Click WebSphere application servers.
Select the server
Click the Configuration tab. In the Container Settings section, expand Web Container Settings. Click Web Container.
In the Additional Properties sections, click Custom Properties.
In the Custom Properties page, click New.
Add the following information in the General Properties fields to enable the httpOnly cookies setting:

Name

com.ibm.ws.webcontainer.httpOnlyCookies

Value

JSESSIONID,WC_GENERIC_ACTIVITYDATA,WC_AUTHENTICATION_*,WC_USERACTIVITY_*,WC_PERSISTENT,WCP_*,WC_identitySignature
Click Apply.
Click Save.
Restart the server for the custom property to take effect.
Repeat the previous steps for each server that you need to configure.