Setting an httponly cookie with javax.servlet 2.5

Question

here is a function that sets a cookie:

public void addCookie(String cookieName, String cookieValue, Integer maxAge, HttpServletResponse response) {     Cookie cookie = new Cookie(cookieName, cookieValue);     cookie.setPath("/mycampaigns");     cookie.setSecure(isSecureCookie);     cookie.setMaxAge(maxAge);     response.addCookie(cookie); } 

I believe in servlet 3.0, there is a way to do this directly. Unfortunately my organization uses 2.5 and UPGRADING at this juncture IS NOT AN OPTION.

is there way to use the response to set the cookie? Here's an example i found online

response.setHeader("SET-COOKIE", "[SOME STUFF]" +"; HttpOnly") 

If this is the only way to do what i want, what would i replace "[SOME STUFF]" with so that i don't lose any of the data that my function currently stores in the cookie?

Answer 1

You are right, manually setting header is the right way to achive your goal.

You can also use javax.ws.rs.core.NewCookie or any other class with useful toString method to print cookie to a header to make things more simple.

public static String getHttpOnlyCookieHeader(Cookie cookie) {      NewCookie newCookie = new NewCookie(cookie.getName(), cookie.getValue(),              cookie.getPath(), cookie.getDomain(), cookie.getVersion(),              cookie.getComment(), cookie.getMaxAge(), cookie.getSecure());      return newCookie + "; HttpOnly"; } 

And the usage:

response.setHeader("SET-COOKIE", getHttpOnlyCookieHeader(myOriginalCookie)); 

Answer 2

This code works without using response.setHeader():

public void addCookie(String cookieName, String cookieValue, Integer maxAge, HttpServletResponse response) {       Cookie cookie = new Cookie(cookieName, cookieValue);     cookie.setPath("; HttpOnly;");     cookie.setSecure(isSecureCookie);     cookie.setMaxAge(maxAge);     response.addCookie(cookie); }