After reading Jeff's blog post on Protecting Your Cookies: HttpOnly. I'd like to implement HttpOnly cookies in my web application.
How do you tell tomcat to use http only cookies for sessions?
Set HttpOnly cookie in PHP ini_set("session. cookie_httponly", True); This is the most common way to set cookies in PHP, empty variables will hold their default value.
Java HttpCookie setHttpOnly() Method The setHttpOnly(Boolean httpOnly) method of Java HttpCookie class is used to indicate whether the cookie can be considered as HTTPOnly or not. If it is set to true then the cookie cannot be accessed by scripting engines like JavaScript.
httpOnly is supported as of Tomcat 6.0.19 and Tomcat 5.5.28.
See the changelog entry for bug 44382.
The last comment for bug 44382 states, "this has been applied to 5.5.x and will be included in 5.5.28 onwards." However, it does not appear that 5.5.28 has been released.
The httpOnly functionality can be enabled for all webapps in conf/context.xml:
<Context useHttpOnly="true"> ... </Context>
My interpretation is that it also works for an individual context by setting it on the desired Context entry in conf/server.xml (in the same manner as above).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With