tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 47554] New: o.a.c.h.s.JvmRouteBinderValve doesn't set HttpOnly flag to session Cookie.
Date Tue, 21 Jul 2009 10:16:43 GMT

           Summary: o.a.c.h.s.JvmRouteBinderValve doesn't set HttpOnly
                    flag to session Cookie.
           Product: Tomcat 6
           Version: 6.0.20
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Cluster

When session ID is changed with o.a.c.h.s.JvmRouteBinderValve, 
HttpOnly flag is not set to the session cookie newly made.

The cause is in the following
o.a.c.h.s.JvmRouteBinderValve#setNewSessionCookie's codes. 

protected void setNewSessionCookie(Request request,
        Response response, String sessionId) {
    if (response != null) {
        Context context = request.getContext();
        if (context.getCookies()) {
            // set a new session cookie
            Cookie newCookie = new Cookie(Globals.SESSION_COOKIE_NAME,
            String contextPath = null;
            if (!response.getConnector().getEmptySessionPath()
                    && (context != null)) {
                contextPath = context.getEncodedPath();
            if ((contextPath != null) && (contextPath.length() > 0)) {
            } else {
            if (request.isSecure()) {
            if (log.isDebugEnabled()) {
                        sessionId, Globals.SESSION_COOKIE_NAME, newCookie
                                .getPath(), new Boolean(newCookie

HttpOnly flag is never set to Cookie regardless of the value of
When context.getUseHttpOnly() is set to true, it is necessary to set HttpOnly
to Cookie. 

I made two patches.

The first is a patch for Tomcat6(tomcat/tc6.0.x/trunk/).
This patch uses response.addCookieInternal(Cookie, boolean).

The second is a patch for Tomcat7 or later (tomcat/trunk/).
This patch uses javax.servlet.SessionCookieConfig.
(It has not been implemented yet now ? I tried to make a patch.)
It is similar to org.apache.catalina.connector.Request#configureSessionCookie.

Best regards.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message