-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Sush,
On 11/21/13, 1:54 PM, sush3152 . wrote: > Hi,i have the below details about the problem. Please go though it > and let me know if i am making any mistakes. > > Environmnent Tomcat7 Exactly which version of Tomcat 7? > Windows7/Centos6.3 64bit jdk 7 Mozilla firefox 25.0.1 > > > CATALINA_HOME/conf/context.xml <Context useHttpOnly="true"/> > <WatchedResource>WEB-INF/web.xml</WatchedResource> </Context> You probably should not have modified this file (conf/context.xml). Instead, you should be using a META-INF/context.xml file in your web application. Note that "true" is the default value for this configuration setting, so you should not have to set it at all. Perhaps you have useHttpOnly="false" in your web application's context.xml and it is overriding? > Since i am using tomcat7 i dont think i need to configure > useHttpOnly="true" explicitly. You should not have to do so. > Java code which generates the cookie > > response.setContentType("text/html"); PrintWriter pw = > response.getWriter(); Cookie cookie = new Cookie("url","testing > userHttpOnly"); Cookie cookie1 = new Cookie("Mr.x","testing the > cookie"); cookie.setMaxAge(60*60); //1 hour String sessionid = > request.getSession().getId(); String contextPath = > request.getContextPath(); response.setHeader("SET-COOKIE", > "JSESSIONID=" + sessionid + "; Path=" + contextPath); > response.addCookie(cookie); response.addCookie(cookie1); > pw.println("Cookies created"); Well, of course that code will not enable HttpOnly: you are creating the cookie yourself by emitting the "Set-Cookie" header. If you had let Tomcat create your JSESSIONID cookie for you, it would have included the "HttpOnly" flag. > With the below lines,i could see the ;HttpOnly along with the > cookie information in the http header and the same java script code > return "undefined" which is what i wanted. > response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; > Path=" + contextPath + "; HttpOnly" ); > > Conclusion : As per my understanding the the cookie should be > HttpOnly with the way i configured my context.xml.No java code is > required for that.But this is not happening for me.Please let me > know if i missed anything Tomcat will not intercept your cookies and "correct" them to be HttpOnly. That would be a violation of the servlet specification. Tomcat will protect *its own* session cookie(s) by using the "HttpOnly" flag, not just any cookie you happen to send back to the client. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSjl4KAAoJEBzwKT+lPKRYoscQAJKTio8E9EeSSi6XkN3ZNv1o ph0wpLYvWAKS9QiiXBmitK4ULFAxtJ1jH0cFqF84LxImwRN50jaS63AiFWZIwsiy c28c9lTyCBcv5fNbRgW7qR2jPr+iilUjUbdt1KyDNoHmzecvrXizc+EXOxjeRQfG Weww6V8YQH/QaQacddPq4rLsyibQl/YQ1dS5I+LAFPBEIilnKe8sqPUude9CrA86 l+vH6f6tbHWrMotE260ORFZCqs7LqhbjvWu0ZqT9pHuD5slK0a7HQvGH/GtCC8Dc NENHF5lOshRMfoVrfaCgvx+1LPAblHePqUM/ZBBG9ZbXBrc5LihHKSktI/XVt3WB NbThnKMqYnHJkotbe4znUfuDSokCEW/xEsnStpqUuhr1L6VjBHZ02ME0O2SfPglM z8FNh7Gf92GZu2TOEesVXeIivO5T7c478x0yxWtL2F5230z1WHlUxnRhYlPbgjQz WuIK8wp0IBsXSmd+leog1E2GAnJL3GkefxWWam4j9w+Xf4A1lfk1UYh1oCgD22zI +IYMZMuKImYo0MZ9SkWCsVYBsakRsuoh/VH3/QMTB1QCIndDSGfcahcX0NT5R6vR winJpj5h8IPMnM/nQEr/hsuPBUZ8EkhdsMd2YeclRBI5HidNqA6hhUN2QPBS9Yj0 5Bho1uInzvBd6QekswJj =YBXm -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org