Fix/update Http-Only-Page

pages/HttpOnly.md

@@ -16,7 +16,7 @@ The goal of this section is to introduce, discuss, and provide language specific
 ### Who developed HttpOnly? When?
 
 According to a daily blog article by [Jordan Wiens, “No cookie for
-you!”](http://www.networkcomputing.com/careers/no-cookie-you/1270585242),
+you!”](https://www.networkcomputing.com/cybersecurity/no-cookie-for-you-),
 HttpOnly cookies were first implemented in 2002 by Microsoft Internet
 Explorer developers for Internet Explorer 6 SP1.
 
@@ -67,43 +67,48 @@ the browser *returns an empty string* as the result. This causes the
 attack to fail by preventing the malicious (usually XSS) code from
 sending the data to an attacker's website.
 
-##### Using Java to Set HttpOnly
+### Using Jakarta EE or Java EE to Set HttpOnly
 
-Since Java Enterprise Edition 6 (JEE 6), which adopted Java Servlet 3.0
-technology, it's programmatically easy to set the HttpOnly flag on a
-cookie.
+for more information , plwase check  [Java EE to Jakarta EE Transition](https://jakarta.ee/about/faq/#what-is-the-java-ee-to-jakarta-ee-transition).
 
-In fact `setHttpOnly` and `isHttpOnly` methods are available in the
-`Cookie` interface
-[JEE 6](http://java.sun.com/javaee/6/docs/api/javax/servlet/http/Cookie.html#setHttpOnly%28boolean%29),
-[JEE 7](https://docs.oracle.com/javaee/7/api/javax/servlet/http/Cookie.html#setHttpOnly-boolean-)
-and also for session cookies (JSESSIONID)
-[JEE 6](http://java.sun.com/javaee/6/docs/api/javax/servlet/SessionCookieConfig.html#setHttpOnly%28boolean%29),
-[JEE 7](https://docs.oracle.com/javaee/7/api/javax/servlet/SessionCookieConfig.html#setHttpOnly-boolean-)
-`cookie.setHttpOnly(true);`
+Since **Jakarta EE 9**, which adopted **Jakarta Servlet 5.0** technology, it's programmatically easy to set the `HttpOnly` flag on a cookie.
 
-Moreover, since JEE 6 it's also declaratively easy setting `HttpOnly`
-flag in a session cookie by applying the following configuration in the
-deployment descriptor `WEB-INF/web.xml`:
+In fact, the `setHttpOnly` and `isHttpOnly` methods are available in the [`jakarta.servlet.http.Cookie`](https://jakarta.ee/specifications/servlet/5.0/apidocs/jakarta/servlet/http/Cookie.html) interface, as well as for session cookies (`JSESSIONID`) using [`jakarta.servlet.SessionCookieConfig`](https://jakarta.ee/specifications/servlet/5.0/apidocs/jakarta/servlet/SessionCookieConfig.html):
+
+```java
+Cookie cookie = new Cookie("sessionId", "abc123");
+cookie.setHttpOnly(true);    // Mark the cookie as HttpOnly
+response.addCookie(cookie);
+```
+Moreover, since Jakarta EE 9, it's also declaratively easy to set the `HttpOnly` flag for session cookies by applying the following configuration in the deployment descriptor `WEB-INF/web.xml`:
 
 ```xml
-<session-config>
-   <cookie-config>
-    <http-only>true</http-only>
-   </cookie-config>
-</session-config>
+<web-app xmlns="https://jakarta.ee/xml/ns/jakartaee"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="https://jakarta.ee/xml/ns/jakartaee 
+         https://jakarta.ee/xml/ns/jakartaee/web-app_6_0.xsd"
+         version="6.0">
+    <session-config>
+        <cookie-config>
+            <http-only>true</http-only>
+        </cookie-config>
+    </session-config>
+</web-app>
 ```
+For environments using  **Java EE 8**, which support **Servlet 4.0**, you can easily set the `HttpOnly` attribute :
 
-For Java Enterprise Edition versions *prior* to JEE 6 a common
-**workaround** is to overwrite the `SET-COOKIE` HTTP response header
-with a session cookie value that explicitly appends the `HttpOnly` flag:
+The`HttpOnly` flag can be set using the `jakarta.servlet.http.Cookie` (or `javax.servlet.http.Cookie` in Java EE 8) API:
 
 ```java
-String sessionid = request.getSession().getId();
-// be careful overwriting: JSESSIONID may have been set with other flags
-response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; HttpOnly");
+
+import jakarta.servlet.http.Cookie;
+Cookie cookie = new Cookie("sessionId", "abc123");
+cookie.setHttpOnly(true); // Set the HttpOnly flag
+response.addCookie(cookie);
+
 ```
 
+
 In this context, overwriting, despite appropriate for the `HttpOnly`
 flag, is discouraged because the JSESSIONID may have been set with other
 flags. A better workaround is taking care of the previously set flags or

pages/attacks/Session_fixation.md

@@ -93,7 +93,8 @@ Server
 6. knowing the session ID, the attacker can access the user's
 account.
 
-![](https://wiki.owasp.org/images/9/9c/Fixation.jpg)
+![Session sniffing](../assets/images/attacks/Session_Attacks_Fixation.jpg)
+
 
 Figure 1. Simple example of Session Fixation attack.
 
@@ -128,7 +129,7 @@ the server response can be made, intercepting the packages exchanged
 between the client and the Web Application inserting the Set-Cookie
 parameter.
 
-![](https://wiki.owasp.org/images/e/ed/Fixation2.jpg)
+![Session sniffing](../assets/images/attacks/Session_Attacks_Fixation2.jpg)
 
 Figure 2. Set-Cookie in the HTTP header response