users@jsr311.java.net

Re: HTTPOnly cookies

From: Marc Hadley <Marc.Hadley_at_Sun.COM>
Date: Thu, 24 Jul 2008 11:54:01 -0400

On Jul 24, 2008, at 4:36 AM, Stephan Koops wrote:

> I also think we should be careful to add non standard attributes.
> Perhaps there are a lot of others, but I don't know.
>
> Is it right, that you can handle this HTTPOnly also with
> CacheControl.cacheExtensins?
>
There's a not-entirely-pleasant work around:

NewCookie nc = new NewCookie(...);
Response r = Response.ok().header("Set-Cookie", nc.toString()
+";HttpOnly").build();

I'm not really keen to bake in support for non-standard attributes.

Marc.

>
> Marc Hadley schrieb:
>> Are there other extended attributes or is this a special case ?
>>
>> Marc.
>>
>> On Jul 23, 2008, at 1:13 PM, Rajiv Mordani wrote:
>>
>>> We have added support for HTTP-only cookies in servlet 3.0. It is
>>> the EDR out there but there is no implementation available as yet.
>>>
>>> - Rajiv
>>>
>>> Bertold Kolics wrote:
>>>> Hi,
>>>>
>>>> Would it be possible to add support for HTTP-only cookies in the
>>>> Cookie/NewCookie classes (see http://www.owasp.org/index.php/HTTPOnly)?
>>>> I understand that this extension is non-standard and does not
>>>> give full protection against XSS - but it should be trivial to
>>>> implement.
>>>>
>>>> Bertold
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe_at_jsr311.dev.java.net
>>>> For additional commands, e-mail: users-help_at_jsr311.dev.java.net
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe_at_jsr311.dev.java.net
>>> For additional commands, e-mail: users-help_at_jsr311.dev.java.net
>>>
>>
>> ---
>> Marc Hadley <marc.hadley at sun.com>
>> CTO Office, Sun Microsystems.
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe_at_jsr311.dev.java.net
>> For additional commands, e-mail: users-help_at_jsr311.dev.java.net
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_jsr311.dev.java.net
> For additional commands, e-mail: users-help_at_jsr311.dev.java.net
> 

---
Marc Hadley <marc.hadley at sun.com>
CTO Office, Sun Microsystems.
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.