IBM Support

HttpOnly support in ClearQuest Web

Technote (FAQ)


Question

Does IBM Rational ClearQuest Web support HttpOnly for enhanced security?

Cause

HttpOnly is a security enhancement supported by modern browsers. It reduces the probability of hackers accessing sensitive information stored in cookies, impersonating you, and cross-site scripting (XSS) attacks. You can read more about HttpOnly at this site:
https://www.owasp.org/index.php/HttpOnly


Answer

HttpOnly is supported in the following versions and in newer versions of WebSphere and ClearQuest.


  1. For WebSphere 8:
    To enable HttpOnly on session management cookies (for example., JSESSIONID), connect to your WebSphere administration console and go to:

    Application servers > server1 > Session management > Cookies

    Select "Set session cookies to HTTPOnly to help prevent cross-site scripting attacks".


  2. For WebSphere 7 and WebSphere 6.1
    Follow the steps on the link below to set the com.ibm.ws.webcontainer.HTTPOnlyCookies property. It should include JSESSIONID, e.g.

    com.ibm.ws.webcontainer.HTTPOnlyCookies=JSESSIONID

    (note - cookies specified here are case-insensitive)

    Web container custom properties

Document information

More support for: Rational ClearQuest
Web Server (7.1)

Software version: 7.1.2.5, 8.0.0.1

Operating system(s): AIX, HP-UX, Linux, Solaris, Windows

Reference #: 1587440

Modified date: 13 November 2014