Set http-only on cookies created in Spring MVC Controller

Question

I need to restrict access to a cookie containing a session token so that javascript can't access it. Advice that was given was to set Secure and HttpOnly flags on the cookie.

I was having trouble with cookies not being set when using @ResponseBody, so I'm setting the cookies inside a HandlerInterceptor.

public class COOKIEFilter implements org.springframework.web.servlet.HandlerInterceptor  {

    @Override
    public boolean preHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o) throws Exception {

        Cookie cookie = new Cookie("timestamp", new Long(new Date().getTime()).toString());
        cookie.setSecure(true);
        // how do I set the http-only flag?
        httpServletResponse.addCookie(cookie);

        return true;
    }

As shown in the chrome console, Secure is set, but not HTTP

Showing that secure flag is being set

I've tried adding parameters to web.xml under servlet 3.0 sepcification that allows for secure and http-only to be set on session cookies, but since I need to handle the session myself (Spring MVC application needs to remain stateless), that won't work for me.

Update:

I'm using Tomcat7, currently with Servlet 2.5 and Spring 3.2.8.

score 10 · Accepted Answer · answered Apr 02 '15 at 06:10

10

It can be set as cookie.setHttpOnly(true) just like you did for secure.

answered Apr 02 '15 at 06:10

wolfram77

2,841
3
23
33

Let me try upping the servlet specification to 3 – Jan Vladimir Mostert Apr 02 '15 at 06:26
i haven't used Sping MVC framework, but this works in Java servlet. Is the `Cookie` you use from `javax.servlet.http.Cookie`? – wolfram77 Apr 02 '15 at 06:26
That is correct: javax.servlet.http.Cookie; From which servlet version is setHttpOnly supported? – Jan Vladimir Mostert Apr 02 '15 at 06:33
Java EE 6 [Cookie](http://docs.oracle.com/javaee/6/api/javax/servlet/http/Cookie.html) – wolfram77 Apr 02 '15 at 06:41
It says `Since: Servlet 3.0`, let me go figure out how to make make Spring play nice with Servlet 3.0. – Jan Vladimir Mostert Apr 02 '15 at 06:44

score 1 · Answer 2 · answered Apr 02 '15 at 06:19

1

You need to set the HttpOnly as below:

Cookie cookie = new Cookie("timestamp", new Long(new Date().getTime()).toString() + ";HttpOnly");

It needs to follow cookieName=cookieValue;HttpOnly;Secure format

answered Apr 02 '15 at 06:19

Mithun

7,747
6
52
68

The value I'm seeing in Chrome Console is now `"1427955789419`, but no HTTP flag is set. – Jan Vladimir Mostert Apr 02 '15 at 06:23
You mean to say that after the above changes, you are still not seeing the `HttpOnly` ? – Mithun Apr 02 '15 at 06:26

score -2 · Answer 3 · edited Apr 20 '15 at 14:31

-2

Replace:

 Cookie cookie = new Cookie("timestamp", new Long(new Date().getTime()).toString());

with the following

Cookie cookie = new Cookie("timestamp", new Long(new Date().getTime()).toString()+";HttpOnly");

This might work.

edited Apr 20 '15 at 14:31

iaforek

2,860
5
40
56

answered Apr 02 '15 at 06:11

sathya_dev

513
3
15

1

That just sets the value to "1427955447675 Http-Only" – Jan Vladimir Mostert Apr 02 '15 at 06:18
Yeah I missed to put the ; .As you said that too doesn't works. May I know which server you're using. Because, some server level configuration might cause conflicts – sathya_dev Apr 02 '15 at 06:28

Set http-only on cookies created in Spring MVC Controller

3 Answers3

Linked