JDK-7077220 : Plugin CookieHandler ignores HttpOnly cookies
  • Type: Enhancement
  • Component: deploy
  • Sub-Component: plugin
  • Affected Version: 6u7,6u23,6u24,6u37,7
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • OS: generic,windows,windows_xp
  • CPU: generic,x86
  • Submitted: 2011-08-10
  • Updated: 2012-01-24
  • Resolved: 2012-01-16
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availabitlity Release.

To download the current JDK release, click here.
JDK 7 JDK 8
7u4 b05Fixed 8Fixed
Related Reports
Duplicate :  
Relates :  
Relates :  
Relates :  
Description
In the applet mode, the CookieHandler.getDefault().put() call appears to ignore HttpOnly cookies. For example, if the applet calls CookieHandler.getDefault().put() with two cookies, one with HttpOnly attribute and one without the HttpOnly attribute and then immediately calls CookieHandler.getDefault().get() for the same URI, only the cookie without the HttpOnly attribute is returned. See the attached example. This happens in both IE8 and Firefox 3.6.18.

This issue causes problems with the https://www.google.com/accounts/ServiceLogin service, which makes use of HttpOnly cookies. Specifically, this issue appears to be the root cause for http://javafx-jira.kenai.com/browse/RT-15676

Example applet code:

public class CookieTest extends JApplet {

    private JTextArea textArea;

    @Override
    public void init() {
        try {
            SwingUtilities.invokeAndWait(new Runnable() {
                @Override public void run() {
                    setLayout(new BorderLayout());

                    JButton button = new JButton("Test");
                    button.addActionListener(new ActionListener() {
                        @Override public void actionPerformed(ActionEvent e) {
                            test();
                        }
                    });
                    add(button, BorderLayout.NORTH);

                    textArea = new JTextArea();
                    add(textArea, BorderLayout.CENTER);
                }
            });
        } catch (Exception e) {
            System.err.println("createGUI didn't complete successfully");
        }
    }

    private void test() {
        try {
            CookieHandler handler = CookieHandler.getDefault();

            URI uri = new URI("https://www.google.com/accounts/ServiceLogin");
            
            Map<String, List<String>> headers =
                    new HashMap<String, List<String>>();
            headers.put("Set-Cookie", Arrays.asList(
                    "FOO=BAR;HttpOnly","ABC=XYZ"));
            
            handler.put(uri, headers);
            textArea.append("put: " + headers + "\n");

            headers = handler.get(uri, new HashMap<String, List<String>>());
            textArea.append("got: " + headers + "\n");
        } catch (Exception ex) {
            textArea.setText("Error, consult Java console for more info");
            ex.printStackTrace(System.err);
        }
    }
}

Expected output (in the text box next to the "Test" button):

    put: {Set-Cookie=[FOO=BAR;HttpOnly, ABC=XYZ]}
    got: {Cookie=[FOO=BAR, ABC=XYZ]}

Actual output:

    put: {Set-Cookie=[FOO=BAR;HttpOnly, ABC=XYZ]}
    got: {Cookie=[ABC=XYZ]}

Comments
EVALUATION Note that fix was reverted in 7117621. New CR for this is 7119727
2012-01-24

EVALUATION A new Microsoft API has provide support to HttpOnly cookie: InternetGetCookieEx() and add flag INTERNET_COOKIE_HTTPONLY, which is only available for IE8 and up. Still need to find an API for Firefox support for HttpOnly cookie.
2011-09-19