Enabling HTTPONLY & SECURE Cookies for Fastpath

Jason_Hall · February 4, 2010, 10:30pm

Hi All,

We’ve recently had a security audit run on our business, and have been advised that our webchat service (provided via Fastpath & Wildfire) is utilising cookies without the HTTPONLY & SECURE flags set.

I’ve plenty of poking around & googling without much success in actually understanding how I should be enabling this…

We are using IIS, with RESIN providing the JSP stuffs via the ISAPI plugin.

I’m confused as to whether I should be setting this within IIS, RESIN, or perhaps the Fastpath JSP itself?

Any and all help on this would be much appreciated!

Thanks

Jason

Jason_Hall · February 4, 2010, 11:15pm

I’ve found a section on the Caucho website that says to use the following code in the Resin.xml file, however it is refering to Resin 4.0…

true

As we are running Resin 3.0.21, I’m not sure this will be exactly the same… We have this in the resin.conf file, perhaps we can add the cookie httponly tag here?

/>

i.e. change to:

true

</web-app id="/">