 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Java Forum / General / July 2006Applet and HttpOnly cookies in IE 6.0 SP1
Hello all. I am working on a trusted file upload applet. This applet creates a HttpURLConnection object and simulates a browser POST request. It uploads form variables and also sends one or more files to the server. Microsoft has introduced support for a new kind of cookie in Internet Explorer 6.0 SP1. This is called as a "HttpOnly" cookie and scripts do not have access to this cookie. (The cookie does not show up in document.cookie variable). My server side script that receives the request is an ASP.NET script. Since ASP.NET 2.0, the ASPNET_SessionID cookie is sent as a httpcookie. When my applet does the POST request, it is able to pick up all the cookies, but the ASPNET_SessionID cookie. This is causing my session to expire. Is there a way I can pick up HttpOnly cookies too? This problem exists only when I'm using the Sun Plugin for IE. When I use MS JVM everything is fine. I'm using Sun Plugin version 1.4.2_04. Any help is appreciated. Adarsh Bhat > Microsoft has introduced support for a new kind of cookie in Internet > Explorer 6.0 SP1. This is called as a "HttpOnly" cookie and scripts do > not have access to this cookie. (The cookie does not show up in > document.cookie variable). http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/sec ure10102002.asp ... > I am working on a trusted file upload applet. This applet creates a > HttpURLConnection object and simulates a browser POST request. It [quoted text clipped - 4 lines] > not have access to this cookie. (The cookie does not show up in > document.cookie variable). If MS do not want scripts to access the cookie, they probably would not allow Java to access it, as that would be a simple way to get around it (an Applet could read the cookie and pass it to JavaScript). ... > This problem exists only when I'm using the Sun Plugin for IE. When I > use MS JVM everything is fine. I'm using Sun Plugin version 1.4.2_04. Thanks. I'll add that to my list of .. 'MSVM security holes that will *never* be fixed'. Andrew T. > ... > > Microsoft has introduced support for a new kind of cookie in Internet [quoted text clipped - 6 lines] > way to get around it (an Applet could read the cookie and pass > it to JavaScript). It is not required that the applet be able to read the said cookie. The browser automagically adds cookie headers to the request sent by applet via the URLConnection. In my code I'm not explicitly reading and setting cookies anywhere. In the case of the Sun plugin, all cookies except the HttpOnly cookie get sent. In the case of MS JVM, *all* cookies are sent. Adarsh Bhat Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.