Thanks Chris.This is really useful. As you suggested,this time i let tomcat to manage the sessionID by removing response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid..... from the code.I could see the below result Set-Cookie: JSESSIONID=01D4A20F51FCE8F8401B47999524D8AB; Path=/UserHttpOnlyTest/; Secure; HttpOnly
I have one more question to the same context,is there a way to enable the httponly to the non-container managed cookies other than programatically? Adding the below lines in my application web.xml doenst have an impact on the header <session-config> <cookie-config> <http-only>true</http-only> </cookie-config> <session-config> I got the cookie header as below,missing httponly details Set-Cookie: url="testing userHttpOnly"; Version=1; Max-Age=3600; Expires=Sun, 24-Nov-2013 08:37:37 GMT Set-Cookie: Mr.x="testing the cookie"; Version=1 Thanks in advance. On Fri, Nov 22, 2013 at 12:54 AM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Sush, > > On 11/21/13, 1:54 PM, sush3152 . wrote: > > Hi,i have the below details about the problem. Please go though it > > and let me know if i am making any mistakes. > > > > Environmnent Tomcat7 > > Exactly which version of Tomcat 7? > > > Windows7/Centos6.3 64bit jdk 7 Mozilla firefox 25.0.1 > > > > > > CATALINA_HOME/conf/context.xml <Context useHttpOnly="true"/> > > <WatchedResource>WEB-INF/web.xml</WatchedResource> </Context> > > You probably should not have modified this file (conf/context.xml). > Instead, you should be using a META-INF/context.xml file in your web > application. Note that "true" is the default value for this > configuration setting, so you should not have to set it at all. > > Perhaps you have useHttpOnly="false" in your web application's > context.xml and it is overriding? > > > Since i am using tomcat7 i dont think i need to configure > > useHttpOnly="true" explicitly. > > You should not have to do so. > > > Java code which generates the cookie > > > > response.setContentType("text/html"); PrintWriter pw = > > response.getWriter(); Cookie cookie = new Cookie("url","testing > > userHttpOnly"); Cookie cookie1 = new Cookie("Mr.x","testing the > > cookie"); cookie.setMaxAge(60*60); //1 hour String sessionid = > > request.getSession().getId(); String contextPath = > > request.getContextPath(); response.setHeader("SET-COOKIE", > > "JSESSIONID=" + sessionid + "; Path=" + contextPath); > > response.addCookie(cookie); response.addCookie(cookie1); > > pw.println("Cookies created"); > > Well, of course that code will not enable HttpOnly: you are creating > the cookie yourself by emitting the "Set-Cookie" header. If you had > let Tomcat create your JSESSIONID cookie for you, it would have > included the "HttpOnly" flag. > > > With the below lines,i could see the ;HttpOnly along with the > > cookie information in the http header and the same java script code > > return "undefined" which is what i wanted. > > response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; > > Path=" + contextPath + "; HttpOnly" ); > > > > Conclusion : As per my understanding the the cookie should be > > HttpOnly with the way i configured my context.xml.No java code is > > required for that.But this is not happening for me.Please let me > > know if i missed anything > > Tomcat will not intercept your cookies and "correct" them to be > HttpOnly. That would be a violation of the servlet specification. > Tomcat will protect *its own* session cookie(s) by using the > "HttpOnly" flag, not just any cookie you happen to send back to the > client. > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.15 (Darwin) > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCAAGBQJSjl4KAAoJEBzwKT+lPKRYoscQAJKTio8E9EeSSi6XkN3ZNv1o > ph0wpLYvWAKS9QiiXBmitK4ULFAxtJ1jH0cFqF84LxImwRN50jaS63AiFWZIwsiy > c28c9lTyCBcv5fNbRgW7qR2jPr+iilUjUbdt1KyDNoHmzecvrXizc+EXOxjeRQfG > Weww6V8YQH/QaQacddPq4rLsyibQl/YQ1dS5I+LAFPBEIilnKe8sqPUude9CrA86 > l+vH6f6tbHWrMotE260ORFZCqs7LqhbjvWu0ZqT9pHuD5slK0a7HQvGH/GtCC8Dc > NENHF5lOshRMfoVrfaCgvx+1LPAblHePqUM/ZBBG9ZbXBrc5LihHKSktI/XVt3WB > NbThnKMqYnHJkotbe4znUfuDSokCEW/xEsnStpqUuhr1L6VjBHZ02ME0O2SfPglM > z8FNh7Gf92GZu2TOEesVXeIivO5T7c478x0yxWtL2F5230z1WHlUxnRhYlPbgjQz > WuIK8wp0IBsXSmd+leog1E2GAnJL3GkefxWWam4j9w+Xf4A1lfk1UYh1oCgD22zI > +IYMZMuKImYo0MZ9SkWCsVYBsakRsuoh/VH3/QMTB1QCIndDSGfcahcX0NT5R6vR > winJpj5h8IPMnM/nQEr/hsuPBUZ8EkhdsMd2YeclRBI5HidNqA6hhUN2QPBS9Yj0 > 5Bho1uInzvBd6QekswJj > =YBXm > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >