0

httpOnly flag is not working in spring internationalization. I have set the HttpOnly flag in the response header Set-Cookie as follows

String sessionid = httpReq.getSession().getId();
httpRes.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + ";HttpOnly");

It working fine every where except internationalization part.Am suing spring 3 version and the servlet container is tomcat . How to set this

Can any one please help to solve this

Thanks in Advance

user3132347
  • 338
  • 5
  • 24
  • You shouldn't set the session id cookie like that, use the web.xml configuration for that. For the internationalization, assuming you are using the `CookieLocaleResolver` set the `cookieHttpOnly` property to `true`. – M. Deinum Dec 29 '14 at 07:36

1 Answers1

0

First of all setting the httpOnly option that way is a really bad way imho (you are for instance loosing the path/domain of the cookie). You should use configuration for that. How the session cookie is going to be written can be configured in the web.xml.

<session-config>
    <cookie-config>
        <http-only>true</http-only>
    </cookie-config>
</session-config>

If you are an a servlet container that doesn't support the Servlet 3.0 spec in most cases there are configuration options to enable it.

For I18N you need to configure a CookieLocaleResolver and set the cookieHttpOnly property to true.

<bean id="localeResolver" class="CookieLocaleResolver">
    <property name="cookieHttpOnly" value="true" />
</bean>
M. Deinum
  • 94,295
  • 20
  • 185
  • 191
  • @Deinum thanks For you help..I had done like this as per your guidance i have added but i am getting error like this "Invalid property 'cookieHttpOnly' of bean class [org.springframework.web.servlet.i18n.CookieLocaleResolver]" – user3132347 Dec 29 '14 at 07:54
  • First of all We are using servlet 2.5 ,It does not support true .So we have upgraded our servlet version and tried the same , but the JessionId created not suffixed with httpOnly tag. – user3132347 Dec 29 '14 at 08:02
  • Make sure your web.xml also has the proper version (3.0) else it won't work. If the property isn't there on the `CookieLocaleResolver` you are using an old version of Spring you should do an upgrade to a version that has support for this version (something in the 3.x range). – M. Deinum Dec 29 '14 at 08:11
  • Please add the information to your question as that is crucial information, also please specify WHICH servlet container (tomcat, jetty or.... ) you are using. – M. Deinum Dec 29 '14 at 08:12
  • @Deinum thanks for your kind help.We were using tomcat 6 and spring 3.1.1.It starts working when we upgraded both tomcat to 7 and spring to 3.2.12,But on our server tomcat 6 is using and we cannot change it.Could please tell me why cookieHttpOnly is not working with tomcat 6.We have replaced the spring servlet with tomcat 7's it doesn't work and i wont prefer this as I know its not a good way.So please help me to find a solution to implement cookieHttpOnly in tomcat 6 – user3132347 Dec 30 '14 at 08:11
  • `cookieHttpOnly` works only for Servlet 3.0 enabled containers, Tomcat 6 isn't. How to enable it, by default, check http://stackoverflow.com/questions/33412/how-do-you-configure-httponly-cookies-in-tomcat-java-webapps. – M. Deinum Dec 30 '14 at 08:46