0

We have observed the httpOnly attribute has some changes in java 6 Update 71, due to which my JSessionIDSSO cookie has the attribute httpOnly as true.

just need to check , has anyone faced the same issue ?

Now my JNLP application which uses JSessionIDSSO is broken as it is not able to read JSessionIDSSO. Doing httpOnly attribute for JSessionIDSSO as false, let it work.

Can anyone suggest the solution for this behaviour.?

thanks

gusainhimanshu
  • 157
  • 1
  • 11
  • not really an answer to your question, but this is the intended behavior for session cookies. You do not want your session cookie to be accessible through javascript, because it could lead to session impersonation. Migrate all your sessionID handling code from the clientside to the serverside. – Nzall Jun 02 '14 at 11:51
  • @nate kerkhofs yes it is the intended behaviour, but i wanted my javascript to access my cookies, the issue was due to default behaviour change for useHttpOnly attribute by tomcat in its latest versions, so just set that attribute to false explicitly in context.xml of the webapp. and On the part of sessionID handling, the design of the application is as such, that even the hacker gets the cookies, its of no use for him. – gusainhimanshu Jun 06 '14 at 16:43

1 Answers1

0

Implement a CookieManager. HttpOnly prevents cookies from being read.

Justin
  • 13
  • 6