GlassFish - World's first Java EE 7 Application Server


HttpOnlyCookies Proposal

Index: http/Cookie.java
===================================================================
RCS file: /cvs/glassfish/servlet-api/src/jakarta-servletapi-5/jsr154/src/share/javax/servlet/http/Cookie.java,v
retrieving revision 1.4
diff -u -r1.4 Cookie.java
--- http/Cookie.java    5 May 2007 05:34:19 -0000       1.4
+++ http/Cookie.java    31 Mar 2008 21:27:29 -0000
@@ -110,7 +110,7 @@
     private String path;       // ;Path=VALUE ... URLs that see the cookie
     private boolean secure;    // ;Secure ... e.g. use SSL
     private int version = 0;   // ;Version=1 ... means RFC 2109++ style
-
+    private boolean isHttpOnly;


     /**
@@ -555,5 +555,38 @@
            throw new RuntimeException(e.getMessage());
        }
     }
+
+    /**
+     * Marks or unmarks this cookie as <i>HttpOnly</i>.
+     *
+     * <p>If <tt>isHttpOnly</tt> is set to <tt>true</tt>, this cookie is
+     * marked as <i>HttpOnly</i>, by adding the <tt>HttpOnly</tt> attribute
+     * to it.
+     *
+     * <p><i>HttpOnly</i> cookies are not supposed to be exposed to
+     * client-side scripting code, and may therefore help mitigate certain
+     * kinds of cross-site scripting attacks.
+     *
+     * @param isHttpOnly true if this cookie is to be marked as
+     * <i>HttpOnly</i>, false otherwise
+     *
+     * @since 3.0
+     */
+    public void setHttpOnly(boolean isHttpOnly) {
+        this.isHttpOnly = isHttpOnly;
+    }
+
+    /**
+     * Checks whether this cookie has been marked as <i>HttpOnly</i>.
+     *
+     * @return true if this cookie has been marked as <i>HttpOnly</i>,
+     * false otherwise
+     *
+     * @since 3.0
+     */
+    public boolean isHttpOnly() {
+        return isHttpOnly;
+    }
+
 }