From the wikipedia article:

The generic solution is to URL-encode strings before inclusion into HTTP headers such as Location or Set-Cookie.

Typical examples of sanitization include casting to integer, or aggressive regular expression replacement. It is worth noting that although this is not a PHP specific problem, the PHP interpreter contains protection against this attack since version 4.4.2 and 5.1.2.

Edit

im tied into using jsp’s with java actions!

There don’t appear to be any JSP-based protections for this attack vector – many descriptions on the web assume asp or php, but this link describes a fairly platform-neutral way to approach the problem (jsp used as an incidental example in it).

Basically your first step is to indentify the potentially hazardous characters (CRs, LFs, etc) and then to remove them. I’m afraid this about as robust a solution as you can hope for!

Solution

Validate input. Remove CRs and LFs (and all other hazardous characters) before embedding data into any HTTP response headers, particularly when setting cookies and redirecting. It is possible to use third party products to defend against CR/LF injection, and to test for existence of such security holes before application deployment.