Anyone know how I can use httponly cookies for sessions and cookies on the app engine?
In the javadoc for the Cookie class, http://java.sun.com/javaee/6/docs/api/javax/servlet/http/Cookie.html#setHttpOnly(boolean) , there is a setHttpOnly method.
I get a compiler error when trying to use it when developing for app engine though.
The method was introduced in the Servlet 3.0 spec, so its pretty new.
App Engine supports the Servlet API at version 2.5, so you cannot use the setHttpOnly method.
You could try to output the cookie header yourself.
resp.setHeader("Set-Cookie", "A=7; expires=Fri, 31-Dec-2010 23:59:59 GMT; path=/; domain=.example.net; HttpOnly");
Since 2017 GAE does support servlet API 3.1 So I've tested the following cookie option inside web.xml and it works:
<session-config>
<cookie-config>
<http-only>true</http-only>
</cookie-config>
</session-config>
来源:https://stackoverflow.com/questions/2642252/httponly-cookies-on-google-app-engine-java