45632 – HttpOnly Cookie support in 6.0.18

Bug 45632 - HttpOnly Cookie support in 6.0.18

Summary: HttpOnly Cookie support in 6.0.18

Status:	RESOLVED INVALID

Alias:	None

Product:	Tomcat 6
Classification:	Unclassified
Component:	Servlet & JSP API (show other bugs)
Version:	unspecified
Hardware:	PC Windows XP

Importance:	P2 normal (vote)
Target Milestone:	default
Assignee:	Tomcat Developers Mailing List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2008-08-14 06:01 UTC by Kalidoss Sivasamy
Modified:	2008-08-26 14:00 UTC (History)
CC List:	0 users

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Kalidoss Sivasamy 2008-08-14 06:01:07 UTC

We are seeing a different behavior in the cookie support between Tomcat version 6.0.14 and 6.0.18. The following code worked in 6.0.14 but not in 6.0.18.

Is there an explanation or is there a work around?

String sessionId = "Our Session ID";
String cookieValue = sessionId + "; Path=/; HttpOnly ";
Cookie cookie = new Cookie("sessionId", cookieValue);
cookie.setVersion(1);			
response.addCookie(cookie);	


Thanks,
Kal

Comment 1 Mark Thomas 2008-08-14 06:11:19 UTC

You can't do that. Tomcat will escape the ; in your cookie value.

You'll need to set the whole cookie header directly.

HttpOnly support is on the todo list for 6.0.x.

Comment 2 Jim Manico 2008-08-26 13:59:54 UTC

Did someone say session cookie server support? https://issues.apache.org/bugzilla/show_bug.cgi?id=44382 Mark, that's music to my ears! :)

Comment 3 Jim Manico 2008-08-26 14:00:39 UTC

I meant...

Did someone say session cookie HTTPONLY support? https://issues.apache.org/bugzilla/show_bug.cgi?id=44382 Mark, that's music to my ears! :)