HttpOnly flag can't work on tomcat6.0.36

Question

I have tried many ways to use the httponly flag to prevent XSS attack, but all failed.

Common way is to set use HttpOnly=true in context.xml

For test the result: in the java code set two test parameters in the cookie and in front jsp file include javascript to alert thedocument.cookie, the two test parameters set in java code are get and show in the alert.

Java code:

 Cookie cookie = new Cookie("httponlytest","testsss");  
 response.addCookie(cookie); 
 Cookie cookie1 = new Cookie("testhttponly","successfu"); 
 response.addCookie(cookie1); 

javascript in jsp file:

alert("cookie------------"+document.cookie);

1. Is there anything i did wrong?
2. If you know how, it would be very helpful.

Answer 1

For others who do not know HttpOnly:

HttpOnly=true is a relative new attribute to make a cookie in the browser inaccessible to JavaScript.

So it is a browser-only security (XSS) technique to prevent accessing JSESSION_ID (hijacking java sessions) and such.

So you could always set the HttpOnly attribute in the Cookie itself. For the Java session ID it is now default I think, at least it should be.

<Context useHttpOnly="true">

This seems to work only for JSESSIONID. I just found this in SO.

Answer 2

Recently I was dealing with http-only=true cookies. During my research i found that Mozilla and Chrome do not allow java applets to use http-only=true cookies. I was getting issue in accessing the JsessionidSSO cookie. During my research on bugs of JAVA i found this bug While in IE there is no issue in reading the cookies as IE has provided InternetGetCookieEx() API's to access http-only cookies and added the flag INTERNET_COOKIE_HTTPONLY available only IE8 and above versions. So the problem of accessing the http-only cookies still not solved as java proposed the fix in java 7 update 40 while the current version is java 7 update21.