Greetings folks,
We are using WebSphere 6.1 on AIX 6.1 with Sun's RI of JSF 1.1 to develop an application for which I have a javax.servlet.Filter implementation with the following code in it.
private void doBeforeProcessing(ServletRequest request,
ServletResponse response) throws IOException, ServletException {
HttpServletRequest hsRequest = (HttpServletRequest)request;
HttpServletResponse hsResponse = (HttpServletResponse)response;
String sessionid = hsRequest.getSession().getId();
if (hsResponse.containsHeader("SET-COOKIE")){
hsResponse.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + ";secure;HttpOnly");
}
}
public void doFilter(ServletRequest request, ServletResponse response,FilterChain chain)
throws IOException, ServletException {
...
res.setHeader("Cache-Control", "no-cache");
res.setHeader("Pragma", "no-cache");
res.setHeader("Set-Cookie", "JSESSIONID=" + sessionId + ";secure;HttpOnly");
...
The output of the headers displays three lines as follows:
Set-Cookie: JSESSIONID=0000GLoe85G_ulpMOLiTXrXAlA:-1; Path=/;
Set-Cookie: JSESSIONID=0000GLoe85G_ulpMOLiTXrXAlA;secure
Set-Cookie: ; HTTPOnly
I was expecting to see the output to contain only one line like
Set-Cookie: JSESSIONID=0000GLoe85G_ulpMOLiTXrXAlA:-1; Path=/; secure; HTTPOnly and was planning to write some regexp logic on it for other purposes in my code.
Much appreciate any help from this forum to educate me on the following aspects:
1. Is there a way to make sure the value of this header gets set only in one line?
2. Is there any threat to application security or could there be any browser incompatibility issues if the value of this header gets split into multiple lines?
Thanks in anticipation...