tags:

views:

114

answers:

1
+2  Q: 

Setting httponly in JSESSIONID cookie (Java EE 5)

I'm trying to set the httponly flag on the JSESSIONID cookie. I'm working in Java EE 5, however, and can't use setHttpOnly(). First I tried to create my own JSESSIONID cookie from within the servlet's doPost() by using response.setHeader(). When that didn't work, I tried response.addHeader(). That didn't work either. Then, I learned that the servlet handled converting the session into a JSESSIONID cookie and inserting it into the http header so if I want to play with that cookie, I'll have to write a filter. I wrote a filter and played with setHeader()/addHeader() there, again to no avail. Then, I learned that there's some flush/close action going on in the response object before it gets to the filter so if I want to manipulate the data, I need to extend HttpServletResponseWrapper and pass that to filterChain.doFilter(). This is done but I'm still not getting results. Clearly I'm doing something wrong but I don't know what.

I'm not sure if this is at all relevant to the question at hand but no html document is being returned by the servlet to the browser. All that's really happening is that some objects are being populated and returned to a JSP document. I've sort of assumed that The Session object is turned into a JSESSIONID cookie and wrapped -- along with the objects added to the request -- in an http header before being sent to the browser.

I'd be happy to post some code but I want to rule out the possibility that my difficulties stem from a misunderstanding of the theory first.

A: 

Since the JSESSIONID cookie is managed by the servletcontainer, this setting is servletcontainer specific. It's unclear which one you're using, so here's an Apache Tomcat 6.0 targeted answer so that you know in which direction you'll have to look for your servletcontainer: you need to set the useHttpOnly attribute of the webapplication's <Context> element to true.

<Context useHttpOnly="true">
    ...
</Context>

Also see this Tomcat documentation about the <Context> element.

BalusC  2010-06-07 20:00:11
The more I explore this topic, the more I realize how utterly ignorant I am about nearly everything. I'm using JBOSS 4.0 but, from what I've ready, JBOSS is an EJB container (?). I'm not sure what servletcontainer I'm using. I'll have to post again when I've found out what my servletcontainer is.
Mythandros  2010-06-15 15:21:34
JBoss is an application server. It uses Tomcat as servlet container and adds some EJB and other fancy JavaEE features on top of that. The EJB story is irrelevant here. This is a HTTP/Servlet issue. By the way, I am not sure if the old JBoss 4.0 supports this attribute... At least, the instructions are the same as for Tomcat.
BalusC  2010-06-15 15:37:05

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java