Monday, February 2, 2009

Servlet Containers and HTTPOnly support

Oracle (acquired BEA Jan 08) Weblogic is not playing ball at all: http://coding-insecurity.blogspot.com/2008/12/oracle-just-doesn-get-it.html

Apache Tomcat JSESSIONID Cookie: A developer submitted a patch to Apache Tomcat, which is close to going live in Tomcat 7 for sure soon (aiming to be a 3.0 servlet container). The core developers are voting to decide on whether to include HTTPOnly support for Tomcat 5/6 right now. https://issues.apache.org/bugzilla/show_bug.cgi?id=44382

IBM Websphere: (Sept 08) "WebSphere Application Server has been modified to properly recognize, accept and process HTTP-Only cookies. This support is targeted for fixpacks 6.0.2.21 and 6.1.0.11. Please review the recommended updates page at http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg27004980 for more information."

2 comments:

Jim Manico said...

up-2-date info on Oracle/BEA/Weblogic HTTPOnly support http://coding-insecurity.blogspot.com/2009/06/dream.html

Josef Nedstam said...

And as pointed out elsewhere, the WebSphere support is just for acception HTTPOnly cookies, not for creating. Working with WebSphere Commerce, and am having a hard time setting this flag, since any custom servlet filter won't know what the cookies are called.