Hi,i have the below details about the problem.Please go though it and let me know if i am making any mistakes.
Environmnent
Tomcat7 7.0.47
Windows7/Centos6.3 64bit
jdk 7
Mozilla firefox 25.0.1
CATALINA_HOME/conf/context.xml
<Context useHttpOnly="true"/>
<WatchedResource>WEB-INF/web.xml</WatchedResource>
</Context>
Since i am using tomcat7 i dont think i need to configure useHttpOnly="true" explicitly.
Java code which generates the cookie
response.setContentType("text/html");
PrintWriter pw = response.getWriter();
Cookie cookie = new Cookie("url","testing userHttpOnly");
Cookie cookie1 = new Cookie("Mr.x","testing the cookie");
cookie.setMaxAge(60*60); //1 hour
String sessionid = request.getSession().getId();
String contextPath = request.getContextPath();
response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid
+ "; Path=" + contextPath);
response.addCookie(cookie);
response.addCookie(cookie1);
pw.println("Cookies created");
When i verified http header,i am able to see the cookie values as
Set-Cookie: JSESSIONID=660BA8ABDC53B0B91AC53A533410FB2B; Path=/UserHttpOnlyTest
Set-Cookie: url="testing userHttpOnly"; Version=1; Max-Age=3600; Expires=Thu, 21-Nov-2013 19:30:14 GMT
Set-Cookie: Mr.x="testing the cookie"; Version=1
And
My browser could access the cookie using "document.cookie" and i could alert the cookie values.
With the below lines,i could see the ;HttpOnly along with the cookie information in the http header and the same java script code return "undefined" which is what i wanted.
response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid
+ "; Path=" + contextPath + "; HttpOnly" );
Conclusion : As per my understanding the the cookie should be HttpOnly with the way i configured my context.xml.No java code is required for that.But this is not happening for me.Please let me know if i missed anything
Thanks in advance.