Play framework 1.x on Tomcat - httpOnly cookies

Posted by aishwarya on Stack Overflow See other posts from Stack Overflow or by aishwarya
Published on 2012-11-09T03:57:25Z Indexed on 2012/11/09 17:00 UTC
Read the original article Hit count: 423

I'm setting application.session.httpOnly=true in the application.conf and generating a war file and deploying on tomcat.

I still see the cookie generated as HttpOnly=No and it is editable.

This is an issue with play 1.x running on tomcat 6 (i.e. servlet api 2.x). Apparently, http only flag for cookies was only introduced in servlet 3.0 and so is only available in tomcat 7+

has anybody identified a workaround for this so far (so I could have http only cookies for play 1.x on tomcat 6.x ) ? the httpOnly flag on context in tomcat only works for tomcat's jsessionid cookie...

also, can I run a play 1.x app on servlet 3.0 ?

PS: This was also posted on the play framework's google groups but we did not receive a response and so posting on SO.

© Stack Overflow or respective owner

Related posts about java

Related posts about cookies