Reputation: 11094
Why can't I get the JSESSIONID cookie in GWT on the client side?
I have my GWT code in an index.jsp page, and when I view the page info (security/cookies), I see the JSESSIONID cookie assigned to 'subdomain.mysite.com'.
When in my client-side code, I do this:
Window.alert("cookies=" + Cookies.getCookieNames().toString);
I see two cookies that are assigned to 'mysite.com', but I do not see the JSESSIONID. The current url for the page is 'subdomain.mysite.com' - shouldn't it be giving me the cookie? When I refresh, or display the cookies on a click event, I still do not see the JSESSIONID cookie.
Why can't I get it on the client side?
Upvotes: 1
Views: 5920
Answers (2)
Reputation: 1109745
That will indeed happen if the HTTPOnly flag is set on the cookie, as explained by Chi. If your sole purpose is to get the current session ID in JavaScript context, then you could just let JSP/EL print it as if it's a JS variable:
<script>var jsessionid = '${pageContext.session.id}';</script>
Upvotes: 0
Reputation: 23184
Is your application server configured to set the HTTPOnly flag on the JSESSIONID cookie? If so, client side code will not be able to see it
See https://www.owasp.org/index.php/HttpOnly
It is generally good security practice to set the HTTPOnly flag - can you clarify why you want access to the JSESSIONID cookie in your client side code?
Upvotes: 7
Related Questions
- prevent JSESSIONID to store in cookie
- Session Handling in servlet using JSESSIONID cookie not getting session
- GWT Cookies.getCookie returns "null"
- Unable to read cookie value on client side that was set in GWT RPC
- setting Cookie: JSESSIONID on client request manually
- How can I get the Tomcat JSESSIONID on the client side?
- JSESSIONID is set for both HttpOnly and Secure
- gwt Cookies not setting or getting
- session id cookie in gwt rpc
- Cross-browser cookie inconsistency?