Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do you configure HttpOnly cookies in tomcat / java webapps?

After reading Jeff's blog post on Protecting Your Cookies: HttpOnly. I'd like to implement HttpOnly cookies in my web application.

How do you tell tomcat to use http only cookies for sessions?

like image 677
ScArcher2 Avatar asked Aug 28 '08 21:08

ScArcher2


People also ask

How do I set HttpOnly cookies?

Set HttpOnly cookie in PHP ini_set("session. cookie_httponly", True); This is the most common way to set cookies in PHP, empty variables will hold their default value.

What is HttpOnly cookie in Java?

Java HttpCookie setHttpOnly() Method The setHttpOnly(Boolean httpOnly) method of Java HttpCookie class is used to indicate whether the cookie can be considered as HTTPOnly or not. If it is set to true then the cookie cannot be accessed by scripting engines like JavaScript.


1 Answers

httpOnly is supported as of Tomcat 6.0.19 and Tomcat 5.5.28.

See the changelog entry for bug 44382.

The last comment for bug 44382 states, "this has been applied to 5.5.x and will be included in 5.5.28 onwards." However, it does not appear that 5.5.28 has been released.

The httpOnly functionality can be enabled for all webapps in conf/context.xml:

<Context useHttpOnly="true"> ... </Context> 

My interpretation is that it also works for an individual context by setting it on the desired Context entry in conf/server.xml (in the same manner as above).

like image 115
jt. Avatar answered Oct 15 '22 22:10

jt.