Cross-site scripting (XSS) is the leading form of security vulnerabilities for web applications today. This vulnerability is found when attackers are able to inject client-side scripting into web pages by tricking the browser to trust scripts run from malicious hosts. These scripts usually access user and session information stored in cookies, and allow the hackers to forge trusted user behavior. The result can allow hijackers to control your user account, change your account settings, or redirect web traffic to malicious or false advertising sites. Recently, there has been an increase in high-profile cross-site scripting attacks on sites like Twitter and IBM's DeveloperWorks, which illustrate how common these vulnerabilities exist on web sites both large and small.
Because cross-site scripting is such a significant and universal threat (a few cross-site scripting issues have been fixed in Tomcat 7), an unofficial extension to the Cookie specifications - httpOnly cookies - has been introduced to combat it. Although it is unofficial, it is widely supported. This feature reduces the risk of these security vulnerabilities by preventing the browser from allowing scripts to access information stored in cookies.
In Tomcat, the use of the
httpOnly flag on a cookie is controlled by a new Context element called
useHttpOnly. When this is enabled, it prevents client-side scripts from accessing Session IDs in cookies. By default, the cross-site script protection is turned on in Tomcat 7 (
useHttpOnly is set to
true), and while you can turn it on Tomcat 5.x and Tomcat 6.x by default is turned off, mainly due to backwards compatibility concerns.
For Tomcat installations that support multiple web applications, it is possible to configure this context element globally, or individually for specific applications. The value set in the context.xml for individual web application will override anything configured for global defaults. For instance:
Setting useHttpOnly to true in the
$CATALINA_BASE/conf/context.xml file will turn on cross-site script protection for all webapps.
Setting useHttpOnly to false in the
$CATALINA_BASE/conf/[enginename]/[host]/context.xml.default file will over-ride the script protection for all webapps of that host.
Further, as it is part of the Servlet 3.0 specification, you can mark any cookie with the
useHttpOnly setting, and not just session cookies. For more information on setting this element and others, see the Apache Tomcat 7 Configuration Reference on the Context Container.
By preventing these scripts from accessing sensitive cookie information the potential for damage is severely limited. Where problems may exist is for web applications that use applets. If the applet requires information about the user session, marking the context element
useHttpOnly to true will prevent that applet from accessing the session information.