Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Setting httponly in JSESSIONID cookie (Java EE 5)

Tags:

java

cookies

servlets

jsessionid

httponly

I'm trying to set the httponly flag on the JSESSIONID cookie. I'm working in Java EE 5, however, and can't use setHttpOnly(). First I tried to create my own JSESSIONID cookie from within the servlet's doPost() by using response.setHeader().

When that didn't work, I tried response.addHeader(). That didn't work either. Then, I learned that the servlet handled converting the session into a JSESSIONID cookie and inserting it into the http header so if I want to play with that cookie, I'll have to write a filter. I wrote a filter and played with setHeader()/addHeader() there, again to no avail.

Then, I learned that there's some flush/close action going on in the response object before it gets to the filter so if I want to manipulate the data, I need to extend HttpServletResponseWrapper and pass that to filterChain.doFilter(). This is done but I'm still not getting results. Clearly I'm doing something wrong but I don't know what.

I'm not sure if this is at all relevant to the question at hand but no html document is being returned by the servlet to the browser. All that's really happening is that some objects are being populated and returned to a JSP document. I've sort of assumed that The Session object is turned into a JSESSIONID cookie and wrapped -- along with the objects added to the request -- in an http header before being sent to the browser.

I'd be happy to post some code but I want to rule out the possibility that my difficulties stem from a misunderstanding of the theory first.

like image 272
Mythandros Avatar asked Jun 07 '10 19:06

Mythandros

1 Answers

Since the JSESSIONID cookie is managed by the servletcontainer, this setting is servletcontainer specific. It's unclear which one you're using, so here's an Apache Tomcat 6.0 targeted answer so that you know in which direction you'll have to look for your servletcontainer: you need to set the useHttpOnly attribute of the webapplication's <Context> element to true.

<Context useHttpOnly="true">
    ...
</Context>

Also see this Tomcat documentation about the <Context> element.

like image 174
BalusC Avatar answered Sep 29 '22 09:09

BalusC
Sign in to Comment

Related questions

What does "subsequent read" mean in the context of volatile variables?
Method signature selection for lambda expression with multiple matching target types
EntityManager.createNativeQuery returning list of objects instead of list of BigDecimal when using Pagination
Spring Boot FlywayException: Unable to connect to the database. Configure the url, user and password
Lombok @Log4j2 annotation doesn't work with latest version of log4j (v2.15.0)
Auto-generating Unit-Tests for legacy Java-code [closed]
How does VS2008+ReSharper compare to IntelliJ IDEA?
What is the best way to unit test a EJB3 component without having to deploy the component
Segment tree java implementation [closed]
JPA or Hibernate for Java Persistence?
Eclipse JFace's Wizards
Access environment variable from java servlet
What's the difference between instantiating in the field and instantiating in the constructor?
Delay task:scheduler first execution in Spring 3
How to force Java to throw arithmetic exception?
Builders in Java versus C++?
Jetty startup delay
Web service unit testing
Hibernate query cache automatically refreshed on external update?
Java: Tracking a user login session - Session EJBs vs HTTPSession

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!