how do I test httpOnly cookie flag

Question

I have set the following property in websphere for the jsession cookie com.ibm.ws.webcontainer.HTTPOnlyCookies.

Any idea how best to test this using JavaScript in Firefox or IE?

Answer 1

The easiest way to do it on Chrome or Firefox is as below:

• Open the page for instance somedomain.com
• Open dev tools by right clicking on page and then clicking on Inspect or Inspect Element
• Click on Network tab
• Click on any of the actual request and go to Headers section
• Now look for set-cookie in response headers

Here is the screenshot for details

Answer 2

add the following lines to your app String

sessionid = request.getSession().getId();
response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; secure; HttpOnly");

Answer 3

Firebug - click on the Cookies tab

Answer 4

It's a pain in IE. I have IE9 so your screens may be different.

Press F12, go to the network tab, and then press Start Capturing. Back in IE then open the page you want to view. Back in the F12 window you show see all the individual HTTP requests, select the one that's the page or asset you're checking the cookies on and double click on it. You should then be able to see all the response headers and cookies on their relevant tabs.

---

Edit:

A HttpOnly Cookie would look something like this:

Set-Cookie: SessionId=z5ymkk45aworjo2l31tlhqqv; path=/; HttpOnly

The cookie may not be sent with every response, so you may need to clear all of your cookies and then try again to make sure one is sent with the request you're monitoring.

Answer 5

firecookie for firefox gives me the answer.