Tomcat Experts - Need help with Cookie support in 6.0.18
We recently upgraded from 6.0.14 to 6.0.18 due to an XSS security alert we received. The following code was working in 6.0.14 version but not in 6.0.18. Can anyone explain this or a work around. String sessionId = Our session ID; String cookieValue = sessionId + ; Path=/; HttpOnly ; Cookie cookie = new Cookie(sessionId, cookieValue); cookie.setVersion(1); response.addCookie(cookie); Thanks, Kal -- View this message in context: http://www.nabble.com/Tomcat-Experts---Need-help-with-Cookie-support-in-6.0.18-tp18980912p18980912.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat Experts - Need help with Cookie support in 6.0.18
With 6.0.18 : ; Path=/; HttpOnly [literally] becomes part of the cookie value. [That it worked before was sheer luck.] -Tim KalChitown wrote: We recently upgraded from 6.0.14 to 6.0.18 due to an XSS security alert we received. The following code was working in 6.0.14 version but not in 6.0.18. Can anyone explain this or a work around. String sessionId = Our session ID; String cookieValue = sessionId + ; Path=/; HttpOnly ; Cookie cookie = new Cookie(sessionId, cookieValue); cookie.setVersion(1); response.addCookie(cookie); - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat Experts - Need help with Cookie support in 6.0.18
Tim, Thanks for the reply. Can you explain what you mean by becomes part of the value. I thought I had them part of the cookieValue already? Can point out the change I need to make in my code snippet? -Kal Tim Funk wrote: With 6.0.18 : ; Path=/; HttpOnly [literally] becomes part of the cookie value. [That it worked before was sheer luck.] -Tim KalChitown wrote: We recently upgraded from 6.0.14 to 6.0.18 due to an XSS security alert we received. The following code was working in 6.0.14 version but not in 6.0.18. Can anyone explain this or a work around. String sessionId = Our session ID; String cookieValue = sessionId + ; Path=/; HttpOnly ; Cookie cookie = new Cookie(sessionId, cookieValue); cookie.setVersion(1); response.addCookie(cookie); - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/Tomcat-Experts---Need-help-with-Cookie-support-in-6.0.18-tp18980912p18982955.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat Experts - Need help with Cookie support in 6.0.18
A cookie is composed of many parts such as: name, value, path, expiration, secure Cookie.setValue is only meant to set the value of the cookie. Your code had the lucky side effect of setting the path and the HttpOnly flag. If you wish to set a cookie with the HttpOnly flasg set - you need to skip using the HttpCookie object and you'll need to add your own header to the response. For example: response.addHeader(Set-Cookie, v1=bar; Path=/; HttpOnly ); -Tim KalChitown wrote: Tim, Thanks for the reply. Can you explain what you mean by becomes part of the value. I thought I had them part of the cookieValue already? Can point out the change I need to make in my code snippet? -Kal Tim Funk wrote: With 6.0.18 : ; Path=/; HttpOnly [literally] becomes part of the cookie value. [That it worked before was sheer luck.] -Tim KalChitown wrote: We recently upgraded from 6.0.14 to 6.0.18 due to an XSS security alert we received. The following code was working in 6.0.14 version but not in 6.0.18. Can anyone explain this or a work around. String sessionId = Our session ID; String cookieValue = sessionId + ; Path=/; HttpOnly ; Cookie cookie = new Cookie(sessionId, cookieValue); cookie.setVersion(1); response.addCookie(cookie); - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]