Java Http-Only Cookie Test

This tests the ability for a Java applet to use http-only cookies. There are two cookies: normal and httpOnly, each with a value of 'xxx'. Try getting them from within the browser, from the server using AJAX, and from the server using Java.

Expected output:

  Has 'normal' cookie.
  Does not have 'httpOnly' cookie.

Expected output:

  Has 'normal' cookie.
  Has 'httpOnly' cookie.

No Java, cannot do test
Expected output:

  Has 'normal' cookie.
  Has 'httpOnly' cookie.

Why do we care?

For security. Http-only cookies are great for protecting sessions and they are less likely to be picked up using some cross-site JavaScript attack.
Since the applet cannot make URL connections outside of the domain it is from it can NEVER use third party cookies unless it is signed or approved to do this. The applet may need to maintain the session that the containing document is part of. Java also does not allow reading the cookie information from within the applet and are seamlessly added to the HTTP connection, thus meaning they cannot even be read in the Java applet.

Browser Results

Browser	OS	Version	Cookie Setting	Browser	AJAX	Java
Firefox	Vista	3.6.3	Do not accept third-party	Good	Good	No cookies at all
Firefox	Vista	3.6.3	Accept third-party	Good	Good	No httpOnly cookie
Safari	Vista	3.2.2	Only from sites you visit	Has httpOnly Ccookie	Good	Good	Safari 3 doesn't support protecting http-only cookies at all
Safari	Vista	3.2.2	Always	Has httpOnly Ccookie	Good	Good
Safari	Vista	4.0.5	Only from sites you visit	Good	No httpOnly cookie	No httpOnly cookie	Safari 4 doesn't support http-only cookies at all
Safari	Vista	4.0.5	Always	Good	No httpOnly cookie	No httpOnly cookie	Safari 4 doesn't support http-only cookies at all
Opera	Vista	9.63	Only from the site I visit	Good	Good	Good
Opera	Vista	9.63	All	Good	Good	Good
Chrome	Vista	4.1.249	Restrict third-party cookies	Good	Good	No httpOnly cookie
Chrome	Vista	4.1.249	All	Good	Good	No httpOnly cookie
IE	Vista	8.0.6001	High	No cookies at all	Good	No cookies at all	Consitent between JavaScript and Java
IE	Vista	8.0.6001	Medium-High	Good	Good	No httpOnly cookie
IE	Vista	8.0.6001	Medium	Good	Good	No httpOnly cookie
IE	Vista	8.0.6001	All	Good	Good	No httpOnly cookie

If you have more data to add, please email me at [email protected].

Relevent bug reports:

Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=441166
Safari: https://bugs.webkit.org/show_bug.cgi?id=10957

The Code

The PHP code to set the cookies is:

  setcookie('normal', 'xxx', 0, '/', null, false, false);
  setcookie('httpOnly', 'xxx', 0, '/', null, false, true);

The PHP code to check the cookies is (used by AJAX and Java):

  if (array_key_exists('normal', $_COOKIE) && $_COOKIE['normal'] == 'xxx') {
    echo "Has 'normal' cookie.\n";
  } else {
    echo "Does not have 'normal' cookie.\n";
  }

  if (array_key_exists('httpOnly', $_COOKIE) && $_COOKIE['httpOnly'] == 'xxx') {
    echo "Has 'httpOnly' cookie.";
  } else {
    echo "Does not have 'httpOnly' cookie.\n";
  }

The Java code can be viewed here: CookieTest.java

And feel free to look at the JavaScript code by using view source.