Monday, March 2, 2009

HTTPOnly Supported in Tomcat 6.0.19+

Jeff caught it first, but the upcoming release of Tomcat 6.0.19 will include HTTPOnly session cookie support!

This upcoming feature will be disabled by default and you will need to use the following setting to enable it.

<Context><Manager useHttpOnly="true" /></Context>

I first blogged about this topic back in March 27, 2008 and submitted a patch to Apache a few days later on March 30, 2008. It's great to know that this functionality will really exist in Tomcat 6.0.19 - which is the current "trunk" as of the posting - and be released - when it's released. =)

To quote someone from the Apache crowd: "If you're interested in getting the next release out more quickly, perhaps you could volunteer to fix some bugs? " =)


#2 said...

Do you know if httpOnly support has been added to any official 5.5.x or 6.x release build?

I use 5.5.x and cannot find definitive information

Thank you.

Jim Manico said...

The current 6.x Tomcat production release is 6.0.18. HTTPOnly support for session cookies will be included in Tomcat in the 6.0.19 or above production release (which is not out yet as of today).

I do not think HTTPOnly session cookie support will be added to Tomcat 5.5x, but I will ask and post here if it will be included.

#2 said...

Thank you Jim. As a Tomcat user, it is great to see you leading the charge to get HTTPOnly support in.

Jim Manico said...

Thanks kindly! I just heard back from Mark Thomas from Apache. He said:

(the HTTPOnly session cookie patch) " in the current backport list for 5.5.28. I'm nudging gently when the opportunity arises."

Ronak Mallik said...

This feature has been backported to 5.5

Download the actual backport (bug44382-tc5-1.txt) here.

Marco Ruiz said...

is possible to use httpOnly in tomcat 5.5?as configured?.
I add in context. but either works