Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-7077220

Plugin CookieHandler ignores HttpOnly cookies

XMLWordPrintable

    • Icon: Enhancement Enhancement
    • Resolution: Fixed
    • Icon: P3 P3
    • 7u4
    • 6u7, 6u23, 6u24, 6u37, 7
    • deploy
    • b05
    • generic, x86
    • generic, windows, windows_xp
    • Verified

        In the applet mode, the CookieHandler.getDefault().put() call appears to ignore HttpOnly cookies. For example, if the applet calls CookieHandler.getDefault().put() with two cookies, one with HttpOnly attribute and one without the HttpOnly attribute and then immediately calls CookieHandler.getDefault().get() for the same URI, only the cookie without the HttpOnly attribute is returned. See the attached example. This happens in both IE8 and Firefox 3.6.18.

        This issue causes problems with the https://www.google.com/accounts/ServiceLogin service, which makes use of HttpOnly cookies. Specifically, this issue appears to be the root cause for http://javafx-jira.kenai.com/browse/RT-15676

        Example applet code:

        public class CookieTest extends JApplet {

            private JTextArea textArea;

            @Override
            public void init() {
                try {
                    SwingUtilities.invokeAndWait(new Runnable() {
                        @Override public void run() {
                            setLayout(new BorderLayout());

                            JButton button = new JButton("Test");
                            button.addActionListener(new ActionListener() {
                                @Override public void actionPerformed(ActionEvent e) {
                                    test();
                                }
                            });
                            add(button, BorderLayout.NORTH);

                            textArea = new JTextArea();
                            add(textArea, BorderLayout.CENTER);
                        }
                    });
                } catch (Exception e) {
                    System.err.println("createGUI didn't complete successfully");
                }
            }

            private void test() {
                try {
                    CookieHandler handler = CookieHandler.getDefault();

                    URI uri = new URI("https://www.google.com/accounts/ServiceLogin");
                    
                    Map<String, List<String>> headers =
                            new HashMap<String, List<String>>();
                    headers.put("Set-Cookie", Arrays.asList(
                            "FOO=BAR;HttpOnly","ABC=XYZ"));
                    
                    handler.put(uri, headers);
                    textArea.append("put: " + headers + "\n");

                    headers = handler.get(uri, new HashMap<String, List<String>>());
                    textArea.append("got: " + headers + "\n");
                } catch (Exception ex) {
                    textArea.setText("Error, consult Java console for more info");
                    ex.printStackTrace(System.err);
                }
            }
        }

        Expected output (in the text box next to the "Test" button):

            put: {Set-Cookie=[FOO=BAR;HttpOnly, ABC=XYZ]}
            got: {Cookie=[FOO=BAR, ABC=XYZ]}

        Actual output:

            put: {Set-Cookie=[FOO=BAR;HttpOnly, ABC=XYZ]}
            got: {Cookie=[ABC=XYZ]}

              dgu Dennis Gu (Inactive)
              vbaranov Vasiliy Baranov (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved:
                Imported:
                Indexed: