Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[jetty-users] How to httpOnly and secureCookie cookie flags

Hi all!

I'm trying to set cookies created by Jetty to be secure and httpOnly in Jetty 6.1.26. So far I've found that org.mortbay.jetty.servlet.HashSessionManager (which seems to be default session manager) has setHttpOnly and setSecureCookies methods. However, calling those ones from context configuration, or from jetty-web.xml in my web app seems to have no effect - FireFox Web Developer plugin cookies tab still says something like:
Value	4cq07v2wmoia16fvrd8k026vg
Host	localhost
Path	/myapp
Secure	No
Expires	At End Of Session

Here is part of web app's WEB-INF/jetty-web.xml (excluding doctype and xml tag) I use:
<Configure class="org.mortbay.jetty.webapp.WebAppContext">
  <Get name="sessionHandler">
    <Get name="sessionManager">
      <Set name="httpOnly">True</Set>
      <Set name="secureCookies">True</Set>

Using <Call name="setHttpOnly"><Arg type="boolean">True</Arg></Call> seems to have no effect as well.

So, what am I doing wrong, and how should I set those attributes (and am I setting them in the right place)?

Thanks in advance!

Back to the top