Login/Register
Java HttpOnly Flag
Asked Answered
javaservletscookieshttponly
K

1

2

I used Servlet 3.0 and I want secure my cookies with HttpOnly flag. my web.xml is 

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xmlns="http://java.sun.com/xml/ns/javaee" 
         xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee 
    http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
         id="WebApp_ID" version="3.0">


    <session-config>
        <cookie-config>
            <http-only>true</http-only>
            <secure>true</secure>
        </cookie-config>
    </session-config>

</web-app>

and my Servlet is 

response.setContentType("application/json");
PrintWriter pw = response.getWriter();

Cookie cookie = new Cookie("url", "google.com");
cookie.setMaxAge(60 * 60); //1 hour
response.addCookie(cookie);

pw.println("Cookies created");

my context.xml is 

<Context cookies="true" crossContext="true" useHttpOnly="true">
    <SessionCookie httpOnly="true"/>    
</Context>

but I can read cookies from Javascript . Can anybody help me?

Kovno answered 1/6, 2014 at 6:27 Comment(5)
Are you using Tomcat? Which version?Hellion
What is your context.xml?Hellion
I am using JBOSS 7, but is it considerable?Kovno
Yes, not all versions of all web servers implement httponlyHellion
As I know Jboss7 support it. i have update my questionKovno
D
3

The web.xml only configures the session-cookie.

You should add

cookie.setHttpOnly(true);

to your Servlet.

Dapplegray answered 12/6, 2014 at 8:26 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.