Tomcat 7 - JSESSIONID cookie is not accessible from JavaScript code

session-cookies tomcat7 jsessionid
Jeff R. picture Jeff R. · Dec 13, 2011 · Viewed 12.6k times · Source

Does anyone know what changed in the configuration between Tomcat 6 and Tomcat 7 that would cause the JSESSIONID cookie to not be accessible via JavaScript?

Using Tomcat 6:

alert(document.cookie); // JSESSIONID=8675309ABCDEF...

Using Tomcat 7:

alert(document.cookie); // nothing

Answer

Jeff R. picture Jeff R. · Jan 3, 2012

Okay, I found the answer. The useHttpOnly attribute was set to false by default in Tomcat 6, and is true in Tomcat 7. This attribute is set for the <Context> container.

<Context useHttpOnly="false" [...] />

For more information about updating from Tomcat 6 to 7: Migrating from 6.0.x to 7.0.x

I'm not sure why I didn't see that in the docs before, but I've verified that setting this to false does in fact cause Tomcat 7 to revert to the Tomcat 6 behavior.

Related questions

Tomcat 7 sessionid cookie disable http-only and secure

I have a web application which is running on a Tomcat 7 server. The cookie with session id has by default the flags HttpOnly and Secure. I want to disable this flags for the JSESSIONID cookie. But it wont work. I …

Read More
How to use cURL to send Cookies?

I read that Send cookies with curl works, but not for me. I have a REST endpoint as: class LoginResource(restful.Resource): def get(self): print(session) if 'USER_TOKEN' in session: return 'OK' return 'not authorized', 401 When I try …

Read More
Invalidating JSON Web Tokens

For a new node.js project I'm working on, I'm thinking about switching over from a cookie based session approach (by this, I mean, storing an id to a key-value store containing user sessions in a user's browser) to a …

Read More