Re: with useHttpOnly="true" my browser could access cookies through javascript.

Mon, 25 Nov 2013 06:05:02 -0800 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Sush,

On 11/24/13, 5:05 AM, sush3152 . wrote:
> Thanks Chris.This is really useful. As you suggested,this time i
> let tomcat to manage the sessionID by removing 
> response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid.....
> from the code.I could see the below result Set-Cookie:
> JSESSIONID=01D4A20F51FCE8F8401B47999524D8AB; 
> Path=/UserHttpOnlyTest/; Secure; HttpOnly
> 
> I have one more question to the same context,is there a way to
> enable the httponly to the non-container managed cookies other than
> programatically?

No. It's not appropriate for the container to interfere with cookies
added to a response by the application.

> Adding the below lines in my application web.xml doenst have an
> impact on the header <session-config> <cookie-config> 
> <http-only>true</http-only> </cookie-config> <session-config>

Nor should it. The above only affects the JSESSIONID cookie, and only
if Tomcat creates the cookie.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSk1jqAAoJEBzwKT+lPKRYV2EQAKUwxv9cTQiBeGellpU/ZZyn
4HU/k1ThQD9tNSszk7B1sBncVCn3aclpUdXN3waABA93J8K6vSM9yQcmXCZsPSPz
67kcykEUHJzHxP7bSjBaomquiDvE5V/91OzXg35pLcNDAIBTdCepIcM+7u0jT5Th
wl5DJ6S8nx/WfygKIbMj0vt2hiQjxTfhuboUwFIs+XAsd6l1x+zbiESaPNIGKaEG
+0gvft/FwRr9XUjOk1W46jgLgurz197kIaj57CRyjQaazA1bqWxgyDXL6oqb7JHO
cuoyPKIk37k37+0V8cC+LSjH8pP2DqRocM2pXlMgxaDZXcizBLU0CfSF56PUesNk
WfEEBlN2CxzeKQcqflhH1lqH9a/ayeld2xaF2aNJoHNLm6h0H4qKjPWWGpboFPAQ
aCqDRFua71Uw3d5Ezj/vRmM7Zvk3DJex4y4HUeMQYW9GTeusshPsDSfCnLFkOQUa
0xqQmYETVbg+lvNUQSqJl5XGIC6gIRo9iDgioj1Z9a5jAaRMKSCPI0OwnJ4k9cRV
XalY3ej9htfVIlIV7ALICENervaZ5kdzHTtUWpPi4mdUJaa0iaBcMc7F8vuQy7aU
VhpMeYTi5/SRe6Bifd8ENwQLC83qNxMmD1baTLerApPhdjTVm9rxsfwDsMTFSS34
l6ZP+eeX7lJhdQRXKR6o
=fQ5w
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to