Monday, February 2, 2009

Servlet Containers and HTTPOnly support

Oracle (acquired BEA Jan 08) Weblogic is not playing ball at all:

Apache Tomcat JSESSIONID Cookie: A developer submitted a patch to Apache Tomcat, which is close to going live in Tomcat 7 for sure soon (aiming to be a 3.0 servlet container). The core developers are voting to decide on whether to include HTTPOnly support for Tomcat 5/6 right now.

IBM Websphere: (Sept 08) "WebSphere Application Server has been modified to properly recognize, accept and process HTTP-Only cookies. This support is targeted for fixpacks and Please review the recommended updates page at for more information."


Jim Manico said...

up-2-date info on Oracle/BEA/Weblogic HTTPOnly support

Joffemannen said...

And as pointed out elsewhere, the WebSphere support is just for acception HTTPOnly cookies, not for creating. Working with WebSphere Commerce, and am having a hard time setting this flag, since any custom servlet filter won't know what the cookies are called.