We have a large web application which is 99% html pages with one of our complex pages implemented as a Java applet. We switched our session cookie over to being "HttpOnly" and now have issues with our applet. The reason we have an issue with our applet is because the Java plug-in and applet HTTP requests back to our server are no longer in the authenticated session.
Here is the scenario:
The user logs in and gets authenticated via an HTML page. The session cookie is then given to the browser as "HttpOnly". When the applet is requested, it attempts to download the jars need for the applet to run. Since the session cookie is set as "HttpOnly" the browser no longer gives the session cookie to the plug-in to send along with the download request. The request fails as this request is not authenticated. Even if I were to move the jars to a location where the download request doesn't need to be an authenticated session, the applet itself needs to participate in the session.
After much research, I can see now that the browser doesn't give access to the HttpOnly cookies, as that would defeat the purpose.
My question is this: Is there a way to mark the applet as "trusted" ( with some version of the plug-in ) where the applet would pass the session cookies along with the request?