United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
JDK-7077220 : Plugin CookieHandler ignores HttpOnly cookies

Details
Type:
Enhancement
Submit Date:
2011-08-10
Status:
Closed
Updated Date:
2012-01-24
Project Name:
JDK
Resolved Date:
2012-01-16
Component:
deploy
OS:
generic,windows_xp,windows
Sub-Component:
plugin
CPU:
x86,generic
Priority:
P3
Resolution:
Fixed
Affected Versions:
6u7,6u23,6u24,6u37,7
Fixed Versions:
7u4 (b05)

Related Reports
Backport:
Duplicate:
Relates:
Relates:
Relates:
Relates:
Relates:

Sub Tasks

Description
In the applet mode, the CookieHandler.getDefault().put() call appears to ignore HttpOnly cookies. For example, if the applet calls CookieHandler.getDefault().put() with two cookies, one with HttpOnly attribute and one without the HttpOnly attribute and then immediately calls CookieHandler.getDefault().get() for the same URI, only the cookie without the HttpOnly attribute is returned. See the attached example. This happens in both IE8 and Firefox 3.6.18.

This issue causes problems with the https://www.google.com/accounts/ServiceLogin service, which makes use of HttpOnly cookies. Specifically, this issue appears to be the root cause for http://javafx-jira.kenai.com/browse/RT-15676

Example applet code:

public class CookieTest extends JApplet {

    private JTextArea textArea;

    @Override
    public void init() {
        try {
            SwingUtilities.invokeAndWait(new Runnable() {
                @Override public void run() {
                    setLayout(new BorderLayout());

                    JButton button = new JButton("Test");
                    button.addActionListener(new ActionListener() {
                        @Override public void actionPerformed(ActionEvent e) {
                            test();
                        }
                    });
                    add(button, BorderLayout.NORTH);

                    textArea = new JTextArea();
                    add(textArea, BorderLayout.CENTER);
                }
            });
        } catch (Exception e) {
            System.err.println("createGUI didn't complete successfully");
        }
    }

    private void test() {
        try {
            CookieHandler handler = CookieHandler.getDefault();

            URI uri = new URI("https://www.google.com/accounts/ServiceLogin");
            
            Map<String, List<String>> headers =
                    new HashMap<String, List<String>>();
            headers.put("Set-Cookie", Arrays.asList(
                    "FOO=BAR;HttpOnly","ABC=XYZ"));
            
            handler.put(uri, headers);
            textArea.append("put: " + headers + "\n");

            headers = handler.get(uri, new HashMap<String, List<String>>());
            textArea.append("got: " + headers + "\n");
        } catch (Exception ex) {
            textArea.setText("Error, consult Java console for more info");
            ex.printStackTrace(System.err);
        }
    }
}

Expected output (in the text box next to the "Test" button):

    put: {Set-Cookie=[FOO=BAR;HttpOnly, ABC=XYZ]}
    got: {Cookie=[FOO=BAR, ABC=XYZ]}

Actual output:

    put: {Set-Cookie=[FOO=BAR;HttpOnly, ABC=XYZ]}
    got: {Cookie=[ABC=XYZ]}

                                    

Comments
EVALUATION

A new Microsoft API has provide support to HttpOnly cookie:

InternetGetCookieEx()

and add flag INTERNET_COOKIE_HTTPONLY, which is only available for IE8 and up.

Still need to find an API for Firefox support for HttpOnly cookie.
                                     
2011-09-19
EVALUATION

Note that fix was reverted in 7117621. 
New CR for this is 7119727
                                     
2012-01-24



Hardware and Software, Engineered to Work Together