2014-03-06 2:11 GMT+04:00 Bill Davidson <bill...@gmail.com>: > On 3/5/2014 12:52 PM, Konstantin Kolinko wrote: >>Session cookie is HttpOnly in Tomcat 7. >> >>If you missed that in migration guide, it is here: >>http://tomcat.apache.org/migration-7.html#Session_cookie_configuration > > I added this to some code that is executed by most requests that we use to > track operator activity: > > Cookie[] cookies = request.getCookies(); > if ( cookies != null ){ > for ( Cookie cookie : cookies ){ > operLog.append("\n").append(cookie.getName()) > .append("=").append(cookie.getValue()) > .append(", > secure=").append(cookie.getSecure()) > .append(", > httpOnly=").append(cookie.isHttpOnly()); > } > } > m_log.fatal(operLog.toString()); > > This is what that prints out in the log every time: > > JSESSIONID=<a big hex number>, secure=false, httpOnly=false > > So no, I don't think that's it. We're set to send on any protocol. > Moreover, shouldn't the applet be sending httpOnly cookies even > if they are not visible to Javascript? >
The HttpOnly flag is used by cookies sent by server to the client. There is no point checking it on request.getCookies(), as browsers do not send it back (neither do they send 'path', 'secure' etc.). --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
