Java HttpOnly Flag

问题

I used Servlet 3.0 and I want secure my cookies with HttpOnly flag. my web.xml is

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xmlns="http://java.sun.com/xml/ns/javaee" 
         xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee 
    http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
         id="WebApp_ID" version="3.0">


    <session-config>
        <cookie-config>
            <http-only>true</http-only>
            <secure>true</secure>
        </cookie-config>
    </session-config>

</web-app>

and my Servlet is

response.setContentType("application/json");
PrintWriter pw = response.getWriter();

Cookie cookie = new Cookie("url", "google.com");
cookie.setMaxAge(60 * 60); //1 hour
response.addCookie(cookie);

pw.println("Cookies created");

my context.xml is

<Context cookies="true" crossContext="true" useHttpOnly="true">
    <SessionCookie httpOnly="true"/>    
</Context>

but I can read cookies from Javascript . Can anybody help me?

回答1:

The web.xml only configures the session-cookie.

You should add

cookie.setHttpOnly(true);

to your Servlet.

来源：https://stackoverflow.com/questions/23977304/java-httponly-flag