[prev in list] [next in list] [prev in thread] [next in thread] 

List:       tomcat-user
Subject:    Re: with useHttpOnly="true" my browser could access cookies through javascript.
From:       Christopher Schultz <chris () christopherschultz ! net>
Date:       2013-11-25 14:04:26
Message-ID: 529358EA.1090702 () christopherschultz ! net
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Sush,

On 11/24/13, 5:05 AM, sush3152 . wrote:
> Thanks Chris.This is really useful. As you suggested,this time i
> let tomcat to manage the sessionID by removing 
> response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid.....
> from the code.I could see the below result Set-Cookie:
> JSESSIONID=01D4A20F51FCE8F8401B47999524D8AB; 
> Path=/UserHttpOnlyTest/; Secure; HttpOnly
> 
> I have one more question to the same context,is there a way to
> enable the httponly to the non-container managed cookies other than
> programatically?

No. It's not appropriate for the container to interfere with cookies
added to a response by the application.

> Adding the below lines in my application web.xml doenst have an
> impact on the header <session-config> <cookie-config> 
> <http-only>true</http-only> </cookie-config> <session-config>

Nor should it. The above only affects the JSESSIONID cookie, and only
if Tomcat creates the cookie.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSk1jqAAoJEBzwKT+lPKRYV2EQAKUwxv9cTQiBeGellpU/ZZyn
4HU/k1ThQD9tNSszk7B1sBncVCn3aclpUdXN3waABA93J8K6vSM9yQcmXCZsPSPz
67kcykEUHJzHxP7bSjBaomquiDvE5V/91OzXg35pLcNDAIBTdCepIcM+7u0jT5Th
wl5DJ6S8nx/WfygKIbMj0vt2hiQjxTfhuboUwFIs+XAsd6l1x+zbiESaPNIGKaEG
+0gvft/FwRr9XUjOk1W46jgLgurz197kIaj57CRyjQaazA1bqWxgyDXL6oqb7JHO
cuoyPKIk37k37+0V8cC+LSjH8pP2DqRocM2pXlMgxaDZXcizBLU0CfSF56PUesNk
WfEEBlN2CxzeKQcqflhH1lqH9a/ayeld2xaF2aNJoHNLm6h0H4qKjPWWGpboFPAQ
aCqDRFua71Uw3d5Ezj/vRmM7Zvk3DJex4y4HUeMQYW9GTeusshPsDSfCnLFkOQUa
0xqQmYETVbg+lvNUQSqJl5XGIC6gIRo9iDgioj1Z9a5jAaRMKSCPI0OwnJ4k9cRV
XalY3ej9htfVIlIV7ALICENervaZ5kdzHTtUWpPi4mdUJaa0iaBcMc7F8vuQy7aU
VhpMeYTi5/SRe6Bifd8ENwQLC83qNxMmD1baTLerApPhdjTVm9rxsfwDsMTFSS34
l6ZP+eeX7lJhdQRXKR6o
=fQ5w
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

[prev in list] [next in list] [prev in thread] [next in thread]