United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
Bug ID: JDK-7095980 Ensure HttpURLConnection (and supporting APIs) don't expose HttpOnly cookies
JDK-7095980 : Ensure HttpURLConnection (and supporting APIs) don't expose HttpOnly cookies

Details
Type:
Enhancement
Submit Date:
2011-09-28
Status:
Closed
Updated Date:
2013-05-09
Project Name:
JDK
Resolved Date:
2012-08-21
Component:
core-libs
OS:
generic
Sub-Component:
java.net
CPU:
generic
Priority:
P2
Resolution:
Fixed
Affected Versions:
7
Fixed Versions:

Related Reports
Backport:
Duplicate:
Relates:
Relates:

Sub Tasks

Description
Once CR 7077220 is fixed the Plugin CookieHandler may be able to retrieve HttpOnly cookies from the browsers cookie store. This CR is concerned with ensuring HttpOnly cookies are not accessible to application code ( trusted or untrusted ). 

HttpOnly cookies should only be accessible to the HTTP client implementation, so that they can be used in HTTP requests, and NOT anywhere else.

                                    

Comments
EVALUATION

Since the integration of CR 6980004, any cookies automitically retrieved from the default CookieHandler (for Java Plugin/Applet, the Plugin CookieHandler) will not be exposed to user code (either trusted or untrusted) through the URLConnection.getRequestProperty/getRequestProperties API. This ensures that all cookies, including HttpOnly, are protected.

Now what about Set-Cookie headers including HttpOnly, are they accessible through URLConnection.getHeaderField(s)?
                                     
2011-09-29
EVALUATION

The changes use the internal/private java.net.HttpCookie parsing
implementation to filter out HttpOnly cookies from the Set-Cookie and
Set-Cookie2 headers returned in the HTTP protocol handler. With this
change the HTTP protocol suitably protects HttpOnly cookies.

http://cr.openjdk.java.net/~chegar/7095980/webrev.00/webrev/

It reuses the internal java.net.HttpCookie parsing implementation rather than trying to maintain two separate parsing implementations. This is a little ugly since it is private and in the public java.net namespace, but I believe a shared secret is the best approach here.

Changeset: 33ac7a057b9c
Author:    chegar
Date:      2011-12-16 16:09 +0000
URL:       http://hg.openjdk.java.net/jdk8/tl/jdk/rev/33ac7a057b9c

7095980: Ensure HttpURLConnection (and supporting APIs) don't expose HttpOnly cookies
Reviewed-by: michaelm

! src/share/classes/java/net/HttpCookie.java
+ src/share/classes/sun/misc/JavaNetHttpCookieAccess.java
! src/share/classes/sun/misc/SharedSecrets.java
! src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java
+ test/sun/net/www/protocol/http/HttpOnly.java
                                     
2011-12-16



Hardware and Software, Engineered to Work Together