1

I saw on the thread How do you configure HttpOnly cookies in tomcat / java webapps? that Tomcat 5.5.(>28) is supposed to support vendor specific useHttpOnly attribute specified in <Context> elements.

I added this attribute to ALL contexts configured in my server.xml.

However, only the JSESSIONID was appended with "; httpOnly" flag. All other cookies are exactly like there were before I added useHttpOnly="true".

Set-Cookie=
JSESSIONID=25E8F...; Path=/custompath; HttpOnly
mycustomcookie1=xxxxxxx; Path=/
mycustomcookie2=1351101062602; Path=/
mycustomcookie3=0; Path=/
mycustomcookie4=1; Path=/; Secure
mycustomcookie5=4000; Expires=Sat, 22-Oct-2022 17:51:02 GMT; Path=/

Is there anything else I need to change?

(upgrading to tomcat 6 or 7 is not an option for now. Our system uses a third party framework based on tomcat 5.5)

Community
  • 1
  • 1
L. Holanda
  • 3,504
  • 1
  • 29
  • 41

1 Answers1

1

The useHttpOnly configuration in the server indeed applies to server-controlled cookies such as JSESSIONID only.

For webapp-controlled cookies you've to manually create the entire cookie header yourself. The Cookie class is unsuitable as the setHttpOnly() method was introduced in Servlet 3.0, but you're using Tomcat 5.5 does as being a Servlet 2.4 container not have this method in Cookie class. You'd need to upgrade to at least Tomcat 7 which is a Servlet 3.0 compatible container.

You can manually create the in the question mentioned cookies as follows:

response.addHeader("Set-Cookie", "mycustomcookie1=xxxxxxx; Path=/; HttpOnly");
response.addHeader("Set-Cookie", "mycustomcookie2=1351101062602; Path=/; HttpOnly");
response.addHeader("Set-Cookie", "mycustomcookie3=0; Path=/; HttpOnly");
response.addHeader("Set-Cookie", "mycustomcookie4=1; Path=/; Secure; HttpOnly");
response.addHeader("Set-Cookie", "mycustomcookie5=4000; Expires=Sat, 22-Oct-2022 17:51:02 GMT; Path=/; HttpOnly");

It's indeed just a matter of adding the HttpOnly attribute to the cookie header value, separated by ;.

If you'd like to transparently apply this on all cookies, then you might want to provide a custom HttpServletResponseWrapper wherein the addHeader() and setHeader() methods are accordingly been overridden to check if a Set-Cookie header is been set and if so, then add ;HttpOnly to the value when absent. This way you can keep using addCookie().

BalusC
  • 992,635
  • 352
  • 3,478
  • 3,452
  • So sad about this... I wish there was some kind of configuration to apply this globally to the server. I don't want to go all over my code changing calls from `response.addCookie(cookie)` to `response.addHeader(...)` and manually creating the cookies. Even if I had a servlet 3.0 container, it would be painful to go calling `setHttpOnly()` to every cookie created. :( I'll try the `HttpServletResponseWrapper` idea. – L. Holanda Oct 24 '12 at 19:57
  • Are you dealing with so many cookies? Your code might need some refactoring then as well :) – BalusC Oct 24 '12 at 20:01
  • They are not that many. About 12 of them. The problem is that the code is using Cookie class facilities such as secure, expiration path etc. If I change the code to use addHeader, I'll need to handle everything by myself. In addition, the code is not mine, I'm dealing with something, at least, 4 years old. – L. Holanda Oct 24 '12 at 22:39