CODEWITHSUNDEEP
javatomcatcookiestomcat5.5httponly
L. Holanda
L. Holanda

Reputation: 4621

HttpOnly cookies on Tomcat 5.5.36

I saw on the thread How do you configure HttpOnly cookies in tomcat / java webapps? that Tomcat 5.5.(>28) is supposed to support vendor specific useHttpOnly attribute specified in <Context> elements.

I added this attribute to ALL contexts configured in my server.xml.

However, only the JSESSIONID was appended with "; httpOnly" flag. All other cookies are exactly like there were before I added useHttpOnly="true".

Set-Cookie=
JSESSIONID=25E8F...; Path=/custompath; HttpOnly
mycustomcookie1=xxxxxxx; Path=/
mycustomcookie2=1351101062602; Path=/
mycustomcookie3=0; Path=/
mycustomcookie4=1; Path=/; Secure
mycustomcookie5=4000; Expires=Sat, 22-Oct-2022 17:51:02 GMT; Path=/

Is there anything else I need to change?

(upgrading to tomcat 6 or 7 is not an option for now. Our system uses a third party framework based on tomcat 5.5)

Upvotes: 1

Views: 2750

Answers (1)

BalusC
BalusC

Reputation: 1108632

The useHttpOnly configuration in the server indeed applies to server-controlled cookies such as JSESSIONID only.

For webapp-controlled cookies you've to manually create the entire cookie header yourself. The Cookie class is unsuitable as the setHttpOnly() method was introduced in Servlet 3.0, but you're using Tomcat 5.5 does as being a Servlet 2.4 container not have this method in Cookie class. You'd need to upgrade to at least Tomcat 7 which is a Servlet 3.0 compatible container.

You can manually create the in the question mentioned cookies as follows:

response.addHeader("Set-Cookie", "mycustomcookie1=xxxxxxx; Path=/; HttpOnly");
response.addHeader("Set-Cookie", "mycustomcookie2=1351101062602; Path=/; HttpOnly");
response.addHeader("Set-Cookie", "mycustomcookie3=0; Path=/; HttpOnly");
response.addHeader("Set-Cookie", "mycustomcookie4=1; Path=/; Secure; HttpOnly");
response.addHeader("Set-Cookie", "mycustomcookie5=4000; Expires=Sat, 22-Oct-2022 17:51:02 GMT; Path=/; HttpOnly");

It's indeed just a matter of adding the HttpOnly attribute to the cookie header value, separated by ;.

If you'd like to transparently apply this on all cookies, then you might want to provide a custom HttpServletResponseWrapper wherein the addHeader() and setHeader() methods are accordingly been overridden to check if a Set-Cookie header is been set and if so, then add ;HttpOnly to the value when absent. This way you can keep using addCookie().

Upvotes: 1

Related Questions