Cross-site Scripting and Cookies

Securing Server-side Cookies

HttpOnly

Setting the HttpOnly flag on cookies forces the browser to prevent (disallow) scripts from accessing the cookies. This prevents JavaScript that might be introduced through an XSS attack into a browser page to access cookie data and send it to a different person. Stolen cookie data can also be used to hijack a browser session.

Secure Flag

With the Secure flag set, cookies are transmitted only from the browser to the server when the connection is secured by using the HTTPS protocol. This setting is applicable to HTTPS connections only. Therefore, you must configure GAX to use an HTTPS connector, not an HTTP connector.

Setup

Follow these recommendations to configure the HttpOnly and Secure flags.

HttpOnly

Open and edit the following file: $CATALINA_HOME/conf/context.xml

To set the HttpOnly flag, add the following attribute:

useHttpOnly="true"

The main tag should be:

<Context useHttpOnly="true">

Instead of: <Context>

Secure Flag

Open and edit the following file: $CATALINA_HOME/conf/server.xml

To set the Secure flag, add the following attribute to the HTTPS connector:

secure="true"

The flag must not be applied to any non-HTTPS connectors. If you apply the flag to an HTTP connection, it will become unusable for Genesys Administrator Extension.

The following is an example of a valid connector:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="/home/gcti/keystore.key" keystorePass="genesys"
clientAuth="false" sslProtocol="TLS" />

Cross-site Scripting and Cookies

Contents

Securing Server-side Cookies

HttpOnly

Secure Flag

Setup

HttpOnly

Secure Flag

Contact

Genesys

Customer Care

Legal