Play framework 1.x on Tomcat - httpOnly cookies

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Posted by aishwarya on Stack Overflow See other posts from Stack Overflow or by aishwarya
Published on 2012-11-09T03:57:25Z Indexed on 2012/11/09 17:00 UTC
Read the original article Hit count: 389

Filed under:
|
|
|
|

I'm setting application.session.httpOnly=true in the application.conf and generating a war file and deploying on tomcat.

I still see the cookie generated as HttpOnly=No and it is editable.

This is an issue with play 1.x running on tomcat 6 (i.e. servlet api 2.x). Apparently, http only flag for cookies was only introduced in servlet 3.0 and so is only available in tomcat 7+

has anybody identified a workaround for this so far (so I could have http only cookies for play 1.x on tomcat 6.x ) ? the httpOnly flag on context in tomcat only works for tomcat's jsessionid cookie...

also, can I run a play 1.x app on servlet 3.0 ?

PS: This was also posted on the play framework's google groups but we did not receive a response and so posting on SO.

© Stack Overflow or respective owner

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Related posts about java

Related posts about cookies

Categories cloud

.NET ASP.NET iphone linux python Windows mysql android sql windows-7 html c ruby-on-rails css objective-c ubuntu networking sql-server wpf asp.net-mvc ruby database Xml apache AJAX osx security regex django Performance 12.04 windows-xp mac web-development iphone-sdk vb.net Silverlight apache2 flash server perl best-practices email installation eclipse visual-studio algorithm windows-server-2008 winforms wcf firefox bash dns /Oracle