Jeff R.
Reputation: 381
Tomcat 7 - JSESSIONID cookie is not accessible from JavaScript code
Does anyone know what changed in the configuration between Tomcat 6 and Tomcat 7 that would cause the JSESSIONID cookie to not be accessible via JavaScript?
Using Tomcat 6:
alert(document.cookie); // JSESSIONID=8675309ABCDEF...
Using Tomcat 7:
alert(document.cookie); // nothing
Upvotes: 12
Views: 12868
Answers (1)
Jeff R.
Reputation: 381
Okay, I found the answer. The useHttpOnly attribute was set to false by default in Tomcat 6, and is true in Tomcat 7. This attribute is set for the <Context> container.
<Context useHttpOnly="false" [...] />
For more information about updating from Tomcat 6 to 7: Migrating from 6.0.x to 7.0.x
I'm not sure why I didn't see that in the docs before, but I've verified that setting this to false does in fact cause Tomcat 7 to revert to the Tomcat 6 behavior.
Upvotes: 13
Related Questions
- Forcing Tomcat to use secure JSESSIONID cookie over http
- Session Handling in servlet using JSESSIONID cookie not getting session
- Jsession in tomcat configuration
- Can not read JSESSIONID cookie after setting cookie-config to httpOnly and secure in web.xml
- how to refresh JSESSIONID cookie after login
- jsessionid passed in url if cookie and jsessionid stored by browser
- how to secure jsessionid cookie in tomcat 7 using environment variables
- Disable jsessionid via http header (cookie) in Tomcat 7
- JSESSIONID cookie domain
- Java,Tomcat,Sessions - JSessionId disappears