This week's book giveaway is in the Servlets forum.
We're giving away four copies of Murach's Java Servlets and JSP and have Joel Murach on-line!
See this thread for details.
The moose likes Tomcat and the fly likes with useHttpOnly= Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Products » Tomcat
Bookmark "with useHttpOnly="true" my browser could access cookies through javascript." Watch "with useHttpOnly="true" my browser could access cookies through javascript." New topic
Author

with useHttpOnly="true" my browser could access cookies through javascript.

Suanth Puthanvedu
Greenhorn

Joined: Nov 21, 2013
Posts: 2
Hi,i have the below details about the problem.Please go though it and let me know if i am making any mistakes.

Environmnent
Tomcat7 7.0.47
Windows7/Centos6.3 64bit
jdk 7
Mozilla firefox 25.0.1


CATALINA_HOME/conf/context.xml
<Context useHttpOnly="true"/>
<WatchedResource>WEB-INF/web.xml</WatchedResource>
</Context>
Since i am using tomcat7 i dont think i need to configure useHttpOnly="true" explicitly.

Java code which generates the cookie

response.setContentType("text/html");
PrintWriter pw = response.getWriter();
Cookie cookie = new Cookie("url","testing userHttpOnly");
Cookie cookie1 = new Cookie("Mr.x","testing the cookie");
cookie.setMaxAge(60*60); //1 hour
String sessionid = request.getSession().getId();
String contextPath = request.getContextPath();
response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid
+ "; Path=" + contextPath);
response.addCookie(cookie);
response.addCookie(cookie1);
pw.println("Cookies created");

When i verified http header,i am able to see the cookie values as
Set-Cookie: JSESSIONID=660BA8ABDC53B0B91AC53A533410FB2B; Path=/UserHttpOnlyTest
Set-Cookie: url="testing userHttpOnly"; Version=1; Max-Age=3600; Expires=Thu, 21-Nov-2013 19:30:14 GMT
Set-Cookie: Mr.x="testing the cookie"; Version=1
And
My browser could access the cookie using "document.cookie" and i could alert the cookie values.

With the below lines,i could see the ;HttpOnly along with the cookie information in the http header and the same java script code return "undefined" which is what i wanted.
response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid
+ "; Path=" + contextPath + "; HttpOnly" );

Conclusion : As per my understanding the the cookie should be HttpOnly with the way i configured my context.xml.No java code is required for that.But this is not happening for me.Please let me know if i missed anything

Thanks in advance.
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 15952
    
  19

You should not be setting the jsessionID yourself, neither in cookies or as URL appendages. That particular part of the datastream is supposed to be managed entirely by the server.

There is no benefit in meddling with the jsessionID. It is simply a hash key into the server's internal cookie store and has no inherent meaning of its own. In fact, the sessionID is subject to change without notice. A well-documented case where this happens is when you switch from HTTP to HTTPS, the old sessionID is discarded and a new sessionID is generated and used as a reference. The HttpSession object remains unaffected.


Customer surveys are for companies who didn't pay proper attention to begin with.
Suanth Puthanvedu
Greenhorn

Joined: Nov 21, 2013
Posts: 2
Tim thank you.This is really useful.
As you suggested,this time i let tomcat to manage the sessionID by removing response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid..... from the code.I could see the below result
Set-Cookie: JSESSIONID=01D4A20F51FCE8F8401B47999524D8AB; Path=/UserHttpOnlyTest/; Secure; HttpOnly

But this will not enable httponly to those i created manually using my code,see the cookie header below,
Set-Cookie: url="testing userHttpOnly"; Version=1; Max-Age=3600; Expires=Sun, 24-Nov-2013 08:37:37 GMT
Set-Cookie: Mr.x="testing the cookie"; Version=1

I know this is one way of setting the httponly programatically,
Cookie cookie = getMyCookie("myCookieName");
cookie.setHttpOnly(true);
But for some reason i wont be able to use this ans searching for some configuration to enable httponly.

Adding the below lines in my application web.xml doenst have an impact on the header.I got the same header information as above.
<session-config>
<cookie-config>
<http-only>true</http-only>
</cookie-config>
<session-config>

I have a question here,is there a way to enable the httponly to the non-container managed one through configuration ?

Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 15952
    
  19

I think the idea is that that particular cookie options is automatically set when the cookies are automatically generated (by Tomcat), but you can do - or not do - anything you want with cookies you generate yourself.

You might consider putting is a servletfilter to add the httponly option on your outgoing data if you don't want to do it as part of your cookie application code.
 
jQuery in Action, 2nd edition
 
subject: with useHttpOnly="true" my browser could access cookies through javascript.
 
Similar Threads
Problem with encodeURL (c:url)
Problem in using HTTPOnly attribute
How to Set HttpOnly flag for JESSIONIDSSO in TomCat 6
JSTL (c:url) - problem with jsessionid
Struts2 cookies