how do I test httpOnly cookie flag

2019-04-04 01:42发布

问题:

I have set the following property in websphere for the jsession cookie com.ibm.ws.webcontainer.HTTPOnlyCookies.

Any idea how best to test this using JavaScript in Firefox or IE?

回答1:

Firebug - click on the Cookies tab



回答2:

It's a pain in IE. I have IE9 so your screens may be different.

Press F12, go to the network tab, and then press Start Capturing. Back in IE then open the page you want to view. Back in the F12 window you show see all the individual HTTP requests, select the one that's the page or asset you're checking the cookies on and double click on it. You should then be able to see all the response headers and cookies on their relevant tabs.


Edit:

A HttpOnly Cookie would look something like this:

Set-Cookie: SessionId=z5ymkk45aworjo2l31tlhqqv; path=/; HttpOnly

The cookie may not be sent with every response, so you may need to clear all of your cookies and then try again to make sure one is sent with the request you're monitoring.



回答3:

firecookie for firefox gives me the answer.



回答4:

add the following lines to your app String

sessionid = request.getSession().getId();
response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; secure; HttpOnly");