jsfweb.xmlsession-hijacking

web.xml error when using 'HttpOnly' and 'Secure' attributes


I want to make my JSF application less vulnerable to session hijacking. So I have added the following code to the web.xml file.

<session-config>
    <session-timeout>
        60
    </session-timeout>
    <cookie-config>
        <secure>true</secure>
        <http-only>true</http-only>
        <max-age>1800</max-age>
    </cookie-config>
</session-config>

Then when I run the application, deployment fails in Payara Server with the following message.

Deployment descriptor file WEB-INF/web.xml in archive [chims-0.1].  cvc-complex-type.2.4.a: Invalid content was found starting with element '{"http://xmlns.jcp.org/xml/ns/javaee":http-only}'. One of '{"http://xmlns.jcp.org/xml/ns/javaee":max-age}' is expected.

I use version 4 of web.xml

<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
         version="4.0">

How can I get rid of this error?


Solution

  • http-only element comes before secure element in the sequence. See web-common_4_0.xsd for the cookie-configType type description.

    Your config should be:

    <session-config>
        <session-timeout>
            60
        </session-timeout>
        <cookie-config>
            <http-only>true</http-only>
            <secure>true</secure>
            <max-age>1800</max-age>
        </cookie-config>
    </session-config>