Question & Answer
Question
Does IBM Rational ClearQuest Web support HttpOnly for enhanced security?
Cause
HttpOnly is a security enhancement supported by modern browsers. It reduces the probability of hackers accessing sensitive information stored in cookies, impersonating you, and cross-site scripting (XSS) attacks. You can read more about HttpOnly at this site:
https://www.owasp.org/index.php/HttpOnly
Answer
HttpOnly is supported in the following versions and in newer versions of WebSphere and ClearQuest.
- WebSphere 6.1.0.29 (ClearQuest 7.1.2.5)
- WebSphere 7.0.0.9 (ClearQuest 8.0.0.1)
- WebSphere 8.0 (ClearQuest 8.0.0.1)
- For WebSphere 8:
To enable HttpOnly on session management cookies (for example., JSESSIONID), connect to your WebSphere administration console and go to:
Application servers > server1 > Session management > Cookies
Select "Set session cookies to HTTPOnly to help prevent cross-site scripting attacks".
- For WebSphere 7 and WebSphere 6.1
Follow the steps on the link below to set the com.ibm.ws.webcontainer.HTTPOnlyCookies property. It should include JSESSIONID, e.g.
com.ibm.ws.webcontainer.HTTPOnlyCookies=JSESSIONID
(note - cookies specified here are case-insensitive)
Web container custom properties
[{"Product":{"code":"SSSH5A","label":"Rational ClearQuest"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Web Server (7.1)","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"7.1.2.5;8.0.0.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Was this topic helpful?
Document Information
Modified date:
29 September 2018
UID
swg21587440