Win a copy of Murach's Python Programming this week in the Jython/Python forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

Setting httponly programmatically in cookies doesn't seem to work  RSS feed

 
alrem mashayekhi
Greenhorn
Posts: 19
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

I am using servlet 2.4 I used the ff. code below to set httponly in my application's cookies but it did not work. When I do a javascript alert(document.cooke) in my page, the session id still shows up.


Cookie [] cookies = request.getCookies();
for(int x=0; x<cookies.length; x++){
Cookie cookie = (Cookie) cookies[x];
String cookieValue = cookie.getValue();
cookie.setValue(cookieValue + "; HttpOnly");
}


I also tried doing this and it wouldn't work too

String sessionid = request.getSession().getId();
response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; HttpOnly");

What gives?

Am i missing anything?

by the way I am using an application server with its JAVA EE version = 1.4 and JAVA SE version = 5
 
Ulf Dittmer
Rancher
Posts: 42970
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
As to the first approach, that shows code to alter request cookies (in which there isn't much point) - are you setting those cookies as response cookies somewhere?

As to the second approach, I strongly advise not to mess around with the session cookie - that is under the control of the servlet container and should be left alone.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!