By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
459,375 Members | 1,715 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 459,375 IT Pros & Developers. It's quick & easy.

Need help in Hiding Session ID by using httpOnly

natrajr83
P: 4
Hi,

I am working on a secure project which uses SSL. I want to hide the Session ID which gets generated from the public view. I am testing with both IE6 and also Mozilla Firefox. I tried googling and found that httpOnly can be used to hide the Session ID. I wrote a script in my code which works perfectly fine to hide the cookies. But the Session ID gets visible when a button is clicked. It doesnt appear when i click on different menus or links in the same page. So I tried to use the function used in the script inside the onclick but in vain. Please check my coding and tell me if there is any solution for this.

Expand|Select|Wrap|Line Numbers
  1. <script language="JavaScript" type="text/JavaScript">
  2. public function getHttpOnly()
  3. {
  4.     var arg = name + "=";
  5.     var alen = arg.length;
  6.     var clen = document.cookie.length;
  7.     var i = 0;
  8.     while (i < clen) 
  9.     {
  10.         var j = i + alen;
  11.         if (document.cookie.substring(i, j) == arg)
  12.         return getCookieVal (j);
  13.         i = document.cookie.indexOf(" ", i) + 1;
  14.         if (i == 0) break;
  15.     }
  16.     return null;
  17. }
  18. public function setHttpOnly(true)
  19. {
  20.     document.cookie = httponly;
  21. }
  22. </script>
  23.  
onclick:
Expand|Select|Wrap|Line Numbers
  1. <html:submit styleClass="submitBtn" onmouseover="this.className='submitBtnH';" onmouseout="this.className='submitBtn';" property="method"  onclick="return(solUserRegisterassignBool() && sethttpOnly(true));"><bean:message key="button.save"/></html:submit>
Oct 14 '07 #1
Share this Question
Share on Google+
5 Replies


acoder
Expert Mod 15k+
P: 16,027
Welcome to TSDN!

Note that you can't really hide anything with JavaScript. If you want to hide something, use a server-side language, e.g. JSP.

Please use code tags when posting code:

[CODE=javascript]
JavaScript code here...
[/code]
Oct 14 '07 #2

natrajr83
P: 4
Welcome to TSDN!

Note that you can't really hide anything with JavaScript. If you want to hide something, use a server-side language, e.g. JSP.

Please use code tags when posting code:

Expand|Select|Wrap|Line Numbers
  1. JavaScript code here...
  2.  
Hi,
Thanks for your reply.I am using the Java Script inside the JSP page only. The project uses Struts Framework. I gave the above sample code to see if there is any mistake that i have made. I have just given the JS code and also the place where i use it for your reference.

Regards,
Nataraj
Oct 15 '07 #3

dmjpro
100+
P: 2,476
Hi,

I am working on a secure project which uses SSL. I want to hide the Session ID which gets generated from the public view. I am testing with both IE6 and also Mozilla Firefox. I tried googling and found that httpOnly can be used to hide the Session ID. I wrote a script in my code which works perfectly fine to hide the cookies. But the Session ID gets visible when a button is clicked. It doesnt appear when i click on different menus or links in the same page. So I tried to use the function used in the script inside the onclick but in vain. Please check my coding and tell me if there is any solution for this.

Expand|Select|Wrap|Line Numbers
  1. <script language="JavaScript" type="text/JavaScript">
  2. public function getHttpOnly()
  3. {
  4.     var arg = name + "=";
  5.     var alen = arg.length;
  6.     var clen = document.cookie.length;
  7.     var i = 0;
  8.     while (i < clen) 
  9.     {
  10.         var j = i + alen;
  11.         if (document.cookie.substring(i, j) == arg)
  12.         return getCookieVal (j);
  13.         i = document.cookie.indexOf(" ", i) + 1;
  14.         if (i == 0) break;
  15.     }
  16.     return null;
  17. }
  18. public function setHttpOnly(true)
  19. {
  20.     document.cookie = httponly;
  21. }
  22. </script>
  23.  
onclick:
Expand|Select|Wrap|Line Numbers
  1. <html:submit styleClass="submitBtn" onmouseover="this.className='submitBtnH';" onmouseout="this.className='submitBtn';" property="method"  onclick="return(solUserRegisterassignBool() && sethttpOnly(true));"><bean:message key="button.save"/></html:submit>
How cookie comes to the public.

Debasis Jana
Oct 15 '07 #4

natrajr83
P: 4
I installed a plugin in Firefox called Live HTTP Headers. It opens like a browser window. There we have the option to view the session id if its available.

Example of the details available inside the Window:

GET / HTTP/1.1
Host: disney.go.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: SWID=D1FF10FA-130D-4EBF-896F-8E4A60EEF811; hbxRF=http://home.disney.go.com/guestservices/international; INTER=0; return_path=http%3A//home.disney.go.com/travel/index; detect_cookie=FL%7Chttp%3A//home.disney.go.com/travel/index; CP=n
Oct 15 '07 #5

natrajr83
P: 4
In the Firefox, the same can be found by clicking on the Lock symbol available in the right hand side corner of the address bar if it is a secured website. After clicking on that symbol we get the Page Info window. In that if we click on the Header tab all these information which i have given above will be visible. This is an alternative to installing the plugin in the Firefox.
Oct 15 '07 #6

Post your reply

Sign in to post your reply or Sign up for a free account.