Play framework 1.x on Tomcat - httpOnly cookies
Question
I'm setting application.session.httpOnly=true in the application.conf and generating a war file and deploying on tomcat.
I still see the cookie generated as HttpOnly=No and it is editable.
This is an issue with play 1.x running on tomcat 6 (ie servlet api 2.x). Apparently, http only flag for cookies was only introduced in servlet 3.0 and so is only available in tomcat 7+
has anybody identified a workaround for this so far (so I could have http only cookies for play 1.x on tomcat 6.x ) ? the httpOnly flag on context in tomcat only works for tomcat's jsessionid cookie...
also, can I run a play 1.x app on servlet 3.0 ?
PS: This was also posted on the play framework's google groups but we did not receive a response and so posting on SO.
1 answers
solution1
0 ACCPTED 2012-11-09 15:50:46
You should be able to run the app in tomcat 7. The reason is that although you'll deploy a War file, Play is not using any Servlet API, so that shouldn't be a problem. That said, the problem could be the addon that generates the War file, I'm afraid I don't have experience with it.
On workarounds, the only one would be to use the integrated server available with Play. If you run in Tomcat, Tomcat sets the rules so no HttpOnly for you. If you use the integrated Netty then you'll have that.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.