stackoom
  简体   繁体   中英

Struts 2 and making JSESSIONID cookie HttpOnly on Tomcat 6, Java 6

 原文  2014-07-03 15:47:32       java/ http/ struts2/ session-cookies

Question

There's lots of info out there on the web and here on SO about this subject but I find that a lot of it is contradictory. So I'm asking point blank - how in the world can I add the HttpOnly attribute to the JSESSIONID Session cookie?

I've tried adding this to my webapp's web.xml: 

<session-config>
 <cookie-config>
  <http-only>true</http-only>
 </cookie-config>
<session-config>

... and I've tried adding this to my context.xml file in conf/Catalina/localhost: 

<Context useHttpOnly="true">

And no dice. Incidentally, I added the above (useHttpOnly="true") to a Spring MVC app on the same Tomcat and it works like a charm -- when I check my response headers I see: 

Set-Cookie:JSESSIONID=57675D7792083CB3B906DAA47A2B5C94; Path=/my-app; HttpOnly

But with my Struts 2 app, this does not happen. I've read that Struts doesn't do this out-of-the-box, that you have to have each ad every action implement CookieProvider, implement the getCookies() method, and then make sure those Actions are wired to use the CookieInterceptor ...

... other posts say you have to do this manually in a Servlet Filter ...

... but at the same time in other (more recent) posts, it says you don't have to do anything, that this is the container's responsibility and if you are using Servlet api 3.0, and add the above lines to your context.xml, it should work. The fact that it works fine with Spring MVC tells me that that may be true.

Can anyone tell me definitively if I have do something programmatically? Many thanks.

1 answers

solution1
 0  2014-07-07 11:43:03

In the end I didn't do anything pragmatically. It wasn't necessary.

I'm still a little iffy on why exactly something that's only supposed to work on Tomcat 7 and above also works on Tomcat 6. But anyway, in my poms I am using javax.servlet-api 3.1.0 (provided, by the container): 

<dependency>
 <groupId>javax.servlet</groupId>
 <artifactId>javax.servlet-api</artifactId>
 <version>3.1.0</version>
 <scope>provided</scope>
</dependency>

and in my context xml files I added 'useHttpOnly="true"': 

<Context useHttpOnly="true">

and all seems to work. It didn't seem to be working at first, I would never see 'HttpOnly' on the JSESSIONID Cookie, using the browswer dev tools. But then I installed BurpSuite to intercept all my http traffic, and sure enough, I could see the 'HttpOnly' attribute was there.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Setting httponly in JSESSIONID cookie (Java EE 5) JAVA Change JSESSIONID cookie Tomcat sets cookie JSESSIONID spontaneously How delete the JSESSIONID cookie from the browser with HttpOnly flag set Tomcat creates a jsessionid cookie when session timeouts Java,Tomcat,Sessions - JSessionId disappears JSESSIONID HttpOnly in Weblogic 10.3 Can not read JSESSIONID cookie after setting cookie-config to httpOnly and secure in web.xml How to set httpOnly flag true for cookie in Java? Tomcat 7 within TomEE Not Maintaining Session; JSESSIONID cookie not being sent
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM