Play framework 1.x on Tomcat - httpOnly cookies
- by aishwarya
I'm setting application.session.httpOnly=true in the application.conf and generating a war file and deploying on tomcat.
I still see the cookie generated as HttpOnly=No and it is editable.
This is an issue with play 1.x running on tomcat 6 (i.e. servlet api 2.x). Apparently, http only flag for cookies was only introduced in servlet 3.0 and so is only available in tomcat 7+
has anybody identified a workaround for this so far (so I could have http only cookies for play 1.x on tomcat 6.x ) ? the httpOnly flag on context in tomcat only works for tomcat's jsessionid cookie...
also, can I run a play 1.x app on servlet 3.0 ?
PS: This was also posted on the play framework's google groups but we did not receive a response and so posting on SO.