A cookie is composed of many parts such as:
name, value, path, expiration, secure
Cookie.setValue is only meant to set the value of the cookie. Your code
had the lucky side effect of setting the path and the HttpOnly flag.
If you wish to set a cookie with the HttpOnly flasg set - you need to
skip using the HttpCookie object and you'll need to add your own header
to the response. For example:
response.addHeader("Set-Cookie", "v1=bar; Path=/; HttpOnly ");
-Tim
KalChitown wrote:
Tim,
Thanks for the reply. Can you explain what you mean by "becomes part of the
value". I thought I had them part of the cookieValue already?
Can point out the change I need to make in my code snippet?
-Kal
Tim Funk wrote:
With 6.0.18 : "; Path=/; HttpOnly" [literally] becomes part of the
cookie value. [That it worked before was sheer luck.]
-Tim
KalChitown wrote:
We recently upgraded from 6.0.14 to 6.0.18 due to an XSS security alert
we
received.
The following code was working in 6.0.14 version but not in 6.0.18. Can
anyone explain this or a work around.
String sessionId = "Our session ID";
String cookieValue = sessionId + "; Path=/; HttpOnly ";
Cookie cookie = new Cookie("sessionId", cookieValue);
cookie.setVersion(1);
response.addCookie(cookie);
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
