HttpOnly / secure cookies with Play Framework and Google App Engine

Question

We're developing an application using Play! 1.2.5 and deploying to Google App Engine. In the application.conf I have set the session cookie to be httpOnly and secure:

application.session.httpOnly=true
application.session.secure=true

When I fire a request locally, I can see the headers being set correctly:

Set-Cookie: PLAY_SESSION=something;Expires=Mon, 10-Dec-2012 14:51:56 GMT;Path=/;Secure;HTTPOnly

When I deploy to Google App Engine, I do not see any Secure or HTTPOnly flag on the cookies being set. How come?

I can't find similar problems online. Closest thing I read was GAE not supporting response.setHttpOnly (or something similar) but from the Play! source code I can see a simple Cookie being created with a httpOnly value being set to a boolean value and written to the reponse. Not sure why GAE would not accept this.

Thanks!

Answer 1

Things you can do to debug:

• Do response.setHttpOnly on a different cookie (or response.setCookie with the httpOnly param set to true), not the session one, to see if the problem applies to all cookies.
• In your controller, check request.cookies, a map with all the cookies received, to see the httpOnly values for the received cookies.
• Depending on those two above, maybe check if what you have in request.cookies and response.cookies is consistent with regards to httpOnly
• Depending on the above, maybe edit the response cookie to set httpOnly to true
• If none of the above works, maybe generate a "Set-cookie" header manually. Get the values from the cookies map, remove that cookie from the map to not have it duplicated, and do response.setHeader with the manually created one

All that might not give you the solution, but maybe will help you understand what's going on and if it's even possible.