United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
Bug ID: 7119727 revisit IE httponly cookie support
7119727 : revisit IE httponly cookie support

Details
Type:
Enhancement
Submit Date:
2011-12-09
Status:
Resolved
Updated Date:
2012-11-19
Project Name:
JDK
Resolved Date:
2012-05-16
Component:
deploy
OS:
windows
Sub-Component:
deployment_toolkit
CPU:
x86
Priority:
P2
Resolution:
Fixed
Affected Versions:
8
Fixed Versions:
8

Related Reports
Backport:
JDK-2224538 - revisit IE httponly cookie support
Relates:
JDK-7196513 - Java is unable to read httponly cookies in Firefox/Chrome
Relates:
JDK-7077220 - Plugin CookieHandler ignores HttpOnly cookies
Relates:
JDK-7117621 - Nightly(jre8): JSobject API getMember("cookie") is not able to read cookeis properly on IE

Sub Tasks

Description
revisit IE httponly cookie support

http://blogs.msdn.com/b/ieinternals/archive/2009/08/20/wininet-ie-cookie-internals-faq.aspx

we need to ensure changing to use new cookie API will not break existing cookie support

existing cookie test: http://nicole1.us.oracle.com:8080/plugin_tests/Cookies/Cookies/html/sop/CookieGetSet.html

in this test, there are actually 3 params for the cookie:

name=value;expiration-date;path=/...

some how the expiration-date and path is causing issues with the new "ex" API.

we need to make sure the test pass on XP, win 7 (run as admin or std)

We might need to do some processing on the args we pass to the ex API; or use different API based on the params.

more research and experiment needed

Comments
EVALUATION

A fix is to use the InternetSetCookieEx and the InternetGetCookieEx APIs for setting and getting cookies, respectively. For setting cookie, the fix examines if the cookie contains the "HttpOnly" attibutes before passing the INTERNET_COOKIE_HTTPONLY flag to the API.
2012-05-11 
SUGGESTED FIX

webrev: http://sa.us.oracle.com/projects/deployment_data/8/7119727.1
2012-05-11


Hardware and Software, Engineered to Work Together