Thanks Chris.This is really useful.
As you suggested,this time i let tomcat to manage the sessionID by removing
response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid..... from the
code.I could see the below result
Set-Cookie: JSESSIONID=01D4A20F51FCE8F8401B47999524D8AB;
Path=/UserHttpOnlyTest/; Secure; HttpOnly
I have one more question to the same context,is there a way to enable the
httponly to the non-container managed cookies other than programatically?
Adding the below lines in my application web.xml doenst have an impact on
the header
<session-config>
<cookie-config>
<http-only>true</http-only>
</cookie-config>
<session-config>
I got the cookie header as below,missing httponly details
Set-Cookie: url="testing userHttpOnly"; Version=1; Max-Age=3600;
Expires=Sun, 24-Nov-2013 08:37:37 GMT
Set-Cookie: Mr.x="testing the cookie"; Version=1
Thanks in advance.
On Fri, Nov 22, 2013 at 12:54 AM, Christopher Schultz <
ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Sush,
>
> On 11/21/13, 1:54 PM, sush3152 . wrote:
> > Hi,i have the below details about the problem. Please go though it
> > and let me know if i am making any mistakes.
> >
> > Environmnent Tomcat7
>
> Exactly which version of Tomcat 7?
>
> > Windows7/Centos6.3 64bit jdk 7 Mozilla firefox 25.0.1
> >
> >
> > CATALINA_HOME/conf/context.xml <Context useHttpOnly="true"/>
> > <WatchedResource>WEB-INF/web.xml</WatchedResource> </Context>
>
> You probably should not have modified this file (conf/context.xml).
> Instead, you should be using a META-INF/context.xml file in your web
> application. Note that "true" is the default value for this
> configuration setting, so you should not have to set it at all.
>
> Perhaps you have useHttpOnly="false" in your web application's
> context.xml and it is overriding?
>
> > Since i am using tomcat7 i dont think i need to configure
> > useHttpOnly="true" explicitly.
>
> You should not have to do so.
>
> > Java code which generates the cookie
> >
> > response.setContentType("text/html"); PrintWriter pw =
> > response.getWriter(); Cookie cookie = new Cookie("url","testing
> > userHttpOnly"); Cookie cookie1 = new Cookie("Mr.x","testing the
> > cookie"); cookie.setMaxAge(60*60); //1 hour String sessionid =
> > request.getSession().getId(); String contextPath =
> > request.getContextPath(); response.setHeader("SET-COOKIE",
> > "JSESSIONID=" + sessionid + "; Path=" + contextPath);
> > response.addCookie(cookie); response.addCookie(cookie1);
> > pw.println("Cookies created");
>
> Well, of course that code will not enable HttpOnly: you are creating
> the cookie yourself by emitting the "Set-Cookie" header. If you had
> let Tomcat create your JSESSIONID cookie for you, it would have
> included the "HttpOnly" flag.
>
> > With the below lines,i could see the ;HttpOnly along with the
> > cookie information in the http header and the same java script code
> > return "undefined" which is what i wanted.
> > response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + ";
> > Path=" + contextPath + "; HttpOnly" );
> >
> > Conclusion : As per my understanding the the cookie should be
> > HttpOnly with the way i configured my context.xml.No java code is
> > required for that.But this is not happening for me.Please let me
> > know if i missed anything
>
> Tomcat will not intercept your cookies and "correct" them to be
> HttpOnly. That would be a violation of the servlet specification.
> Tomcat will protect *its own* session cookie(s) by using the
> "HttpOnly" flag, not just any cookie you happen to send back to the
> client.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.15 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJSjl4KAAoJEBzwKT+lPKRYoscQAJKTio8E9EeSSi6XkN3ZNv1o
> ph0wpLYvWAKS9QiiXBmitK4ULFAxtJ1jH0cFqF84LxImwRN50jaS63AiFWZIwsiy
> c28c9lTyCBcv5fNbRgW7qR2jPr+iilUjUbdt1KyDNoHmzecvrXizc+EXOxjeRQfG
> Weww6V8YQH/QaQacddPq4rLsyibQl/YQ1dS5I+LAFPBEIilnKe8sqPUude9CrA86
> l+vH6f6tbHWrMotE260ORFZCqs7LqhbjvWu0ZqT9pHuD5slK0a7HQvGH/GtCC8Dc
> NENHF5lOshRMfoVrfaCgvx+1LPAblHePqUM/ZBBG9ZbXBrc5LihHKSktI/XVt3WB
> NbThnKMqYnHJkotbe4znUfuDSokCEW/xEsnStpqUuhr1L6VjBHZ02ME0O2SfPglM
> z8FNh7Gf92GZu2TOEesVXeIivO5T7c478x0yxWtL2F5230z1WHlUxnRhYlPbgjQz
> WuIK8wp0IBsXSmd+leog1E2GAnJL3GkefxWWam4j9w+Xf4A1lfk1UYh1oCgD22zI
> +IYMZMuKImYo0MZ9SkWCsVYBsakRsuoh/VH3/QMTB1QCIndDSGfcahcX0NT5R6vR
> winJpj5h8IPMnM/nQEr/hsuPBUZ8EkhdsMd2YeclRBI5HidNqA6hhUN2QPBS9Yj0
> 5Bho1uInzvBd6QekswJj
> =YBXm
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
