Reputation: 22035
How can I set session cookies to be Http-Only in servlet API 2.5?
How can I set session cookies to be Http-Only in servlet API 2.5? The Cookie.setHttpOnly method was added in servlet API 3.0.
Upvotes: 3
Views: 10394
Answers (2)
Reputation: 4169
i need to do the same thing...
i'm thinking of doing a servlet filter, reading the cookies with request.getCookies(), creating the raw cookies (in a StringBuilder; not the object Cookie), appending HttpOnly and using response.setHeader("Set-Cookie", rawCookies) to put them back.
one thing to be carefull about is taking other properties, as in domain, path, secured; not just name and value
will let you know how it goes...
PS: also thought of taking the header with request.getHeader('COOKIES') and using regex to append HttpOnly, but it seems that the header COOKIES will only give you the name and the value property
Upvotes: 1
Reputation: 5694
I think you'll want to create some utility code that will take a Cookie and a flag for whether or not you want HttpOnly. The utility will create the associated string header for the cookie which you can pass to HttpServletResponse.addHeader("Set-Cookie", cookieHeader).
Upvotes: 0
Related Questions
- Setting an httponly cookie with javax.servlet 2.5
- Set Cookie in HttpServletRequest
- Cookie http only with spring security and servlet 2.5?
- Add the 'HttpOnly' attribute to all session cookies
- httpOnly Session Cookie + Servlet 3.0 (e.g. Glassfish v3)
- servlet set cookie secure?
- Java HttpOnly Flag
- Cookie handling with Servlet
- Setting httponly in JSESSIONID cookie (Java EE 5)
- Creating Servlet Cookies