Java EE (Java Enterprise Edition) General Discussion

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Interested in getting your voice heard by members of the Developer Marketing team at Oracle? Check out this post for AppDev or this post for AI focus group information.

How to modify the JSESSIONID cookie?

843838Aug 12 2006 — edited Aug 12 2006

I'm trying to add the HttpOnly attribute to all cookies in any responses sent by our application. The value of the Set-Cookie header would then look like
"Foo=Bar; HttpOnly" instead of simply "Foo=Bar".

I've written a Filter that uses a response wrapper to override the addCookie method in order to update the cookie value. This works fine for all cookies that are set in our app. However, the response.addCookie call that adds the
JSESSIONID cookie (done by the servlet environment) is not getting intercepted by the filter.

Is this cookie added to the response before the servlet environment sets up the filter chain? If so, is this as-designed? Is there any other way to force the JSESSIONID cookie to have the HttpOnly attribute?

Btw, I'm using Tomcat 5.5.17.

Thanks,

John.

Locked Post

New comments cannot be posted to this locked post.

Locked on Sep 9 2006

Added on Aug 12 2006

#javaserver-pages-jsp-and-jstl

1 comment

745 views

Java EE (Java Enterprise Edition) General Discussion

How to modify the JSESSIONID cookie?

Comments

Post Details