Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
377 views
in Technique[技术] by (71.8m points)

java - httpOnly Session Cookie + Servlet 3.0 (e.g. Glassfish v3)

By default, Glassfish v3 doesn't set the httpOnly flag on session cookies (when created as usual with request.getSession()).

I know, there is a method javax.servlet.SessionCookieConfig.setHttpOnly(), but I'm not sure, if that's the best way to do it, and if yes, where the best place would be to put that line.

BTW, of course it can't be done in the servlet itself (e.g. in init()):

java.lang.IllegalStateException: PWC1426: 
Unable to configure httpOnly session tracking cookie property for 
servlet context /..., because this servlet context has already been initialized

Generally, I would prefer to use a configuration option e.g. in web.xml.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

This is supported via a Servlet 3.0 web.xml (see web-common_3_0.xsd):

<web-app>
  <session-config>
    <cookie-config>
      <!--             
        Specifies whether any session tracking cookies created 
        by this web application will be marked as HttpOnly
      -->
      <http-only>true</http-only>
    </cookie-config>
  </session-config>
</web-app>

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...