• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Implementing HttpOnly cookie attribute in Struts

 
Dom Lassy
Ranch Hand
Posts: 181
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I need to add the HttpOnly attribute to all kookies that are being set in our system. Fortunately, I believe the only kookie that is set is the sessionID, which is set automatically by struts.

What would be the best way to set the HttpOnly attribute for the session id Kookie in struts? javax.servlet.http.Kookie does not have a setHttpOnly() attribute (probably since it is a IE 6sp1 or later standard).

Edit: JavaRanch seems to filter the work c.o.o.k.i.e so all references were changed to Kookie.
 
Merrill Higginson
Ranch Hand
Posts: 4864
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Struts does not set the session cookie. The application server does. This is therefore an application server issue, not a Struts issue. I'd suggest looking at your specific application server's documentation in order to find out whether it supports httponly cookies or not. Since there's no support in the Java Cookie API for them, I suspect most application servers will not support them.
[ July 20, 2006: Message edited by: Merrill Higginson ]
 
Dom Lassy
Ranch Hand
Posts: 181
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Apache Tomcat is the servlet container we are using, and I can't find any information about setting httponly, so I can only assume that it isn't supported.

I'd like to avoid doing this in javascript, so if you have any idea how to add httponly with tomcat I'd appreciate it. Thanks.
[ July 20, 2006: Message edited by: Dom Lassy ]
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic