-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Sush,
On 11/21/13, 1:54 PM, sush3152 . wrote:
> Hi,i have the below details about the problem. Please go though it
> and let me know if i am making any mistakes.
>
> Environmnent Tomcat7
Exactly which version of Tomcat 7?
> Windows7/Centos6.3 64bit jdk 7 Mozilla firefox 25.0.1
>
>
> CATALINA_HOME/conf/context.xml <Context useHttpOnly="true"/>
> <WatchedResource>WEB-INF/web.xml</WatchedResource> </Context>
You probably should not have modified this file (conf/context.xml).
Instead, you should be using a META-INF/context.xml file in your web
application. Note that "true" is the default value for this
configuration setting, so you should not have to set it at all.
Perhaps you have useHttpOnly="false" in your web application's
context.xml and it is overriding?
> Since i am using tomcat7 i dont think i need to configure
> useHttpOnly="true" explicitly.
You should not have to do so.
> Java code which generates the cookie
>
> response.setContentType("text/html"); PrintWriter pw =
> response.getWriter(); Cookie cookie = new Cookie("url","testing
> userHttpOnly"); Cookie cookie1 = new Cookie("Mr.x","testing the
> cookie"); cookie.setMaxAge(60*60); //1 hour String sessionid =
> request.getSession().getId(); String contextPath =
> request.getContextPath(); response.setHeader("SET-COOKIE",
> "JSESSIONID=" + sessionid + "; Path=" + contextPath);
> response.addCookie(cookie); response.addCookie(cookie1);
> pw.println("Cookies created");
Well, of course that code will not enable HttpOnly: you are creating
the cookie yourself by emitting the "Set-Cookie" header. If you had
let Tomcat create your JSESSIONID cookie for you, it would have
included the "HttpOnly" flag.
> With the below lines,i could see the ;HttpOnly along with the
> cookie information in the http header and the same java script code
> return "undefined" which is what i wanted.
> response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + ";
> Path=" + contextPath + "; HttpOnly" );
>
> Conclusion : As per my understanding the the cookie should be
> HttpOnly with the way i configured my context.xml.No java code is
> required for that.But this is not happening for me.Please let me
> know if i missed anything
Tomcat will not intercept your cookies and "correct" them to be
HttpOnly. That would be a violation of the servlet specification.
Tomcat will protect *its own* session cookie(s) by using the
"HttpOnly" flag, not just any cookie you happen to send back to the
client.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJSjl4KAAoJEBzwKT+lPKRYoscQAJKTio8E9EeSSi6XkN3ZNv1o
ph0wpLYvWAKS9QiiXBmitK4ULFAxtJ1jH0cFqF84LxImwRN50jaS63AiFWZIwsiy
c28c9lTyCBcv5fNbRgW7qR2jPr+iilUjUbdt1KyDNoHmzecvrXizc+EXOxjeRQfG
Weww6V8YQH/QaQacddPq4rLsyibQl/YQ1dS5I+LAFPBEIilnKe8sqPUude9CrA86
l+vH6f6tbHWrMotE260ORFZCqs7LqhbjvWu0ZqT9pHuD5slK0a7HQvGH/GtCC8Dc
NENHF5lOshRMfoVrfaCgvx+1LPAblHePqUM/ZBBG9ZbXBrc5LihHKSktI/XVt3WB
NbThnKMqYnHJkotbe4znUfuDSokCEW/xEsnStpqUuhr1L6VjBHZ02ME0O2SfPglM
z8FNh7Gf92GZu2TOEesVXeIivO5T7c478x0yxWtL2F5230z1WHlUxnRhYlPbgjQz
WuIK8wp0IBsXSmd+leog1E2GAnJL3GkefxWWam4j9w+Xf4A1lfk1UYh1oCgD22zI
+IYMZMuKImYo0MZ9SkWCsVYBsakRsuoh/VH3/QMTB1QCIndDSGfcahcX0NT5R6vR
winJpj5h8IPMnM/nQEr/hsuPBUZ8EkhdsMd2YeclRBI5HidNqA6hhUN2QPBS9Yj0
5Bho1uInzvBd6QekswJj
=YBXm
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
