Chris Lercher
Reputation: 37778
httpOnly Session Cookie + Servlet 3.0 (e.g. Glassfish v3)
By default, Glassfish v3 doesn't set the httpOnly flag on session cookies (when created as usual with request.getSession()).
I know, there is a method javax.servlet.SessionCookieConfig.setHttpOnly(), but I'm not sure, if that's the best way to do it, and if yes, where the best place would be to put that line.
BTW, of course it can't be done in the servlet itself (e.g. in init()):
java.lang.IllegalStateException: PWC1426:
Unable to configure httpOnly session tracking cookie property for
servlet context /..., because this servlet context has already been initialized
Generally, I would prefer to use a configuration option e.g. in web.xml.
Upvotes: 19
Views: 14588
Answers (2)
Amir Md Amiruzzaman
Reputation: 2069
You can also add <secure>true</secure> to boost the security.
<session-config>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
</session-config>
Upvotes: 3
Pascal Thivent
Reputation: 570295
This is supported via a Servlet 3.0 web.xml (see web-common_3_0.xsd):
<web-app>
<session-config>
<cookie-config>
<!--
Specifies whether any session tracking cookies created
by this web application will be marked as HttpOnly
-->
<http-only>true</http-only>
</cookie-config>
</session-config>
</web-app>
Upvotes: 24
Related Questions
- Setting an httponly cookie with javax.servlet 2.5
- When use sessions in Servlet?
- servlet set cookie secure?
- Servlet authentication using sessions and cookies
- Session in Servlets
- Disabling Cookies stops Session as well?
- Cookie handling with Servlet
- Servlet session is not persistent
- How can I set session cookies to be Http-Only in servlet API 2.5?
- Tomcat HttpSession Cookie Shared