Bug 45632

Summary: HttpOnly Cookie support in 6.0.18
Product: Tomcat 6 Reporter: Kalidoss Sivasamy <kalidoss2>
Component: Servlet & JSP APIAssignee: Tomcat Developers Mailing List <dev>
Status: RESOLVED INVALID    
Severity: normal    
Priority: P2    
Version: unspecified   
Target Milestone: default   
Hardware: PC   
OS: Windows XP   

Description Kalidoss Sivasamy 2008-08-14 06:01:07 UTC
We are seeing a different behavior in the cookie support between Tomcat version 6.0.14 and 6.0.18. The following code worked in 6.0.14 but not in 6.0.18.

Is there an explanation or is there a work around?

String sessionId = "Our Session ID";
String cookieValue = sessionId + "; Path=/; HttpOnly ";
Cookie cookie = new Cookie("sessionId", cookieValue);
cookie.setVersion(1);			
response.addCookie(cookie);	


Thanks,
Kal
Comment 1 Mark Thomas 2008-08-14 06:11:19 UTC
You can't do that. Tomcat will escape the ; in your cookie value.

You'll need to set the whole cookie header directly.

HttpOnly support is on the todo list for 6.0.x.
Comment 2 Jim Manico 2008-08-26 13:59:54 UTC
Did someone say session cookie server support? https://issues.apache.org/bugzilla/show_bug.cgi?id=44382 Mark, that's music to my ears! :) 
Comment 3 Jim Manico 2008-08-26 14:00:39 UTC
I meant...

Did someone say session cookie HTTPONLY support? https://issues.apache.org/bugzilla/show_bug.cgi?id=44382 Mark, that's music to my ears! :)