JDK-7196513 : Java is unable to read httponly cookies in Firefox/Chrome
  • Type: Bug
  • Component: deploy
  • Sub-Component: deployment_toolkit
  • Affected Version: 7
  • Priority: P4
  • Status: Closed
  • Resolution: Duplicate
  • OS: windows_2008
  • CPU: x86
  • Submitted: 2012-09-06
  • Updated: 2014-04-09
  • Resolved: 2012-09-07
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 7
7u40Resolved
Related Reports
Duplicate :  
Duplicate :  
Relates :  
Description
FULL PRODUCT VERSION :
java version "1.7.0_07"

ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [Version 6.1.7601]

A DESCRIPTION OF THE PROBLEM :
We are using JavaFX's webview in  our Swing application to provide rich, cross-platform browsing capabilities.  Some of the URL's we need to display require the user to be authenticated.  Typically, this will involve using 'HttpOnly' cookies.  We have found that Java 7u7 is unable to read these cookies when running in Firefox or Chrome, usually resulting in the user being redirected to the relevant login url.  IE8+ appears to behave correctly, as suggested by delivered BugIDs 7077220 and 2217749.  These bugs mention that FF/Chrome remain unresolved and tags a new bugID 7116429 to resolve, however this bug cannot be found in the (public) Bug database, and based on our observations, remains unresolved.

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Setup a simple java application using JavaFX and WebView.  Navigate to a page expecting a httpOnly cookie.  Observe (using Fiddler or some other sniffer) that the cookies are not being made available to Java in FF/Chrome.  Run the applet in IE.  Observe that the cookies is made available as expected.

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
httpOnly behaviour should be the same across browsers.
ACTUAL -
Firefox/Chrome behave differently to IE.

REPRODUCIBILITY :
This bug can be reproduced always.

CUSTOMER SUBMITTED WORKAROUND :
The only workaround we have is to disable httpOnly cookies where we control the website.  In many cases this is not possible however.

Comments
EVALUATION For Chrome/Firefox, we do not have HttpOnly cookie support yet: http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7116429 closing as dupe.
07-09-2012