javasecuritycookiesxsshttponly

How do you configure HttpOnly cookies in tomcat / java webapps?


After reading Jeff's blog post on Protecting Your Cookies: HttpOnly. I'd like to implement HttpOnly cookies in my web application.

How do you tell tomcat to use http only cookies for sessions?


Solution

  • httpOnly is supported as of Tomcat 6.0.19 and Tomcat 5.5.28.

    See the changelog entry for bug 44382.

    The last comment for bug 44382 states, "this has been applied to 5.5.x and will be included in 5.5.28 onwards." However, it does not appear that 5.5.28 has been released.

    The httpOnly functionality can be enabled for all webapps in conf/context.xml:

    <Context useHttpOnly="true">
    ...
    </Context>
    

    My interpretation is that it also works for an individual context by setting it on the desired Context entry in conf/server.xml (in the same manner as above).