4

I'm working with a web application that uses Servlet API v2.5, running on Tomcat 6, and I need to send HttpOnly cookies to the client. I'm not talking about session cookies generated by the servlet container (which is covered excellently by this question), but custom cookies added to the response using response.addCookie().

The Cookie#setHttpOnly() method does not exist in v2.5, so I have to build the HTTP header myself and add the HttpOnly token. Is there an easy way to do this without rolling my own implementation of RFC 6265 from scratch?

Community
  • 1
  • 1
Brant Bobby
  • 14,107
  • 14
  • 75
  • 114
  • I'm confused. [One](http://stackoverflow.com/questions/33412/how-do-you-configure-httponly-cookies-in-tomcat-java-webapps/33461#33461) of the answers of the question you linked to describes `response.setHeader( "Set-Cookie", "name=value; HttpOnly");` for the simple use case where you do not need the server's session cookies. Why doesn't that work for you? – Arjan Sep 24 '12 at 18:55
  • @Arjan I'm looking for a solution that handles character encoding, expiration dates, and all the other stuff defined in the RFC. Is there anything elsewhere in the Servlet API that can help me? (I'm willing to accept "there isn't" as an answer, if it's true.) – Brant Bobby Sep 24 '12 at 19:00
  • Ah, my bad, there's a lot more than just `name=value` of course. Did you check what `Cookie#toString()` gives you? – Arjan Sep 24 '12 at 19:07
  • @Arjan Yeah, Cookie#getValue() just returns the (String) value part of the cookie's name-value pair. – Brant Bobby Sep 24 '12 at 19:10
  • (Sorry, edited my comment to make that `#toString()` -- but I guess you're out of luck there too.) – Arjan Sep 24 '12 at 19:10
  • Oh, actually, though the Servlet 2.5's `Cookie#toString` just claims it's inherited from `Object`, [some other Java Cookie APIs](http://docs.oracle.com/javaee/6/api/javax/ws/rs/core/Cookie.html#toString()) explicitly state: *"Convert the cookie to a string suitable for use as the value of the corresponding HTTP header."* So it might be worth a test. – Arjan Sep 24 '12 at 19:35

1 Answers1

0

Maybe you will need to implement a org.apache.catalina.Valve (which works on a very similar philosophy to a Servlet Filter) and cast the cookies to org.apache.tomcat.util.http.ServerCookie so that you can access low-level details in order to stick 'HttpOnly' in there.

Tomcat API JavaDocs

Stewart
  • 17,139
  • 8
  • 45
  • 74