Monday, June 24, 2013

GlassFish Tip of the Day: HttpOnly

This is just a quick tip for those who are configuring HttpOnly on GlassFish.  To enable it, you simply add the following to your web.xml.
The default on GlassFish is to have it enabled anyway, and you must explicitly disable it.

The issue I had was testing it. When I deployed my application to localhost I did not see any of the cookies being marked as HttpOnly. I was using Chrome and auto-deploying my application, before I turned on the developer tools. The initial request contained the header marking it as HttpOnly. You can confirm it by easily using JSF and the method below. Simply invalidate the session while using the developer tools and examine the response returned.
I got a response header like the one below.


Popular Posts