• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

with useHttpOnly="true" my browser could access cookies through javascript.

 
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,i have the below details about the problem.Please go though it and let me know if i am making any mistakes.

Environmnent
Tomcat7 7.0.47
Windows7/Centos6.3 64bit
jdk 7
Mozilla firefox 25.0.1


CATALINA_HOME/conf/context.xml
<Context useHttpOnly="true"/>
<WatchedResource>WEB-INF/web.xml</WatchedResource>
</Context>
Since i am using tomcat7 i dont think i need to configure useHttpOnly="true" explicitly.

Java code which generates the cookie

response.setContentType("text/html");
PrintWriter pw = response.getWriter();
Cookie cookie = new Cookie("url","testing userHttpOnly");
Cookie cookie1 = new Cookie("Mr.x","testing the cookie");
cookie.setMaxAge(60*60); //1 hour
String sessionid = request.getSession().getId();
String contextPath = request.getContextPath();
response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid
+ "; Path=" + contextPath);
response.addCookie(cookie);
response.addCookie(cookie1);
pw.println("Cookies created");

When i verified http header,i am able to see the cookie values as
Set-Cookie: JSESSIONID=660BA8ABDC53B0B91AC53A533410FB2B; Path=/UserHttpOnlyTest
Set-Cookie: url="testing userHttpOnly"; Version=1; Max-Age=3600; Expires=Thu, 21-Nov-2013 19:30:14 GMT
Set-Cookie: Mr.x="testing the cookie"; Version=1
And
My browser could access the cookie using "document.cookie" and i could alert the cookie values.

With the below lines,i could see the ;HttpOnly along with the cookie information in the http header and the same java script code return "undefined" which is what i wanted.
response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid
+ "; Path=" + contextPath + "; HttpOnly" );

Conclusion : As per my understanding the the cookie should be HttpOnly with the way i configured my context.xml.No java code is required for that.But this is not happening for me.Please let me know if i missed anything

Thanks in advance.
 
Saloon Keeper
Posts: 27752
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You should not be setting the jsessionID yourself, neither in cookies or as URL appendages. That particular part of the datastream is supposed to be managed entirely by the server.

There is no benefit in meddling with the jsessionID. It is simply a hash key into the server's internal cookie store and has no inherent meaning of its own. In fact, the sessionID is subject to change without notice. A well-documented case where this happens is when you switch from HTTP to HTTPS, the old sessionID is discarded and a new sessionID is generated and used as a reference. The HttpSession object remains unaffected.
 
Suanth Puthanvedu
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Tim thank you.This is really useful.
As you suggested,this time i let tomcat to manage the sessionID by removing response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid..... from the code.I could see the below result
Set-Cookie: JSESSIONID=01D4A20F51FCE8F8401B47999524D8AB; Path=/UserHttpOnlyTest/; Secure; HttpOnly

But this will not enable httponly to those i created manually using my code,see the cookie header below,
Set-Cookie: url="testing userHttpOnly"; Version=1; Max-Age=3600; Expires=Sun, 24-Nov-2013 08:37:37 GMT
Set-Cookie: Mr.x="testing the cookie"; Version=1

I know this is one way of setting the httponly programatically,
Cookie cookie = getMyCookie("myCookieName");
cookie.setHttpOnly(true);
But for some reason i wont be able to use this ans searching for some configuration to enable httponly.

Adding the below lines in my application web.xml doenst have an impact on the header.I got the same header information as above.
<session-config>
<cookie-config>
<http-only>true</http-only>
</cookie-config>
<session-config>

I have a question here,is there a way to enable the httponly to the non-container managed one through configuration ?

 
Tim Holloway
Saloon Keeper
Posts: 27752
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I think the idea is that that particular cookie options is automatically set when the cookies are automatically generated (by Tomcat), but you can do - or not do - anything you want with cookies you generate yourself.

You might consider putting is a servletfilter to add the httponly option on your outgoing data if you don't want to do it as part of your cookie application code.
reply
    Bookmark Topic Watch Topic
  • New Topic