Bug Report: In Jakarta Faces applications, cookies are set without the HttpOnly attribute (Payara 6.2023.3)/FISH-7941

[rennhard]

Brief Summary

This happens in the context of Jakarta Faces applications. I'm using Jakarta EE 10.

In the current community version (6.2023.3, but it seems to be existing at least since 6.2022.2), the set-cookie HTTP response headers don’t use the HttpOnly attribute anymore. In version 5 (and earlier, as far as I can remember), the attribute was used per default. As an example, the following set-cookie header is used:

set-cookie: JSESSIONID=0e7fa18043cbd4b39ad0e0a5f517; Path=/test; Secure

Apparently, the same issue existed in Glassfish 7, where it was (likely) fixed in the meantime: Fixed default httpOnly value - should be true by hs536 · Pull Request #24021 · eclipse-ee4j/glassfish · GitHub 2

I couldn’t find a server setting to enable the HttpOnly attribute. I’m aware it can be enabled in web.xml, but in my opinion, the default (and secure) behaviour should be to enable the attribute per default.

Expected Outcome

The set-cookie HTTP response header does not use the HttpOnly attribute per default.

Current Outcome

The set-cookie HTTP response header should use the HttpOnly attribute per default.

Reproducer

Deploy a, e.g., Jakarta Faces application and connect to it with the browser. The first response includes a set-cookie header without the HttpOnly attribute.

Operating System

macOS Ventura 13.3

JDK Version

openjdk 17.0.4.1

Payara Distribution

Payara Server Full Profile

[felixif]

Hello @rennhard,

Apologies for not coming back earlier to this issue. We have verified the behaviour that you reported, and indeed this is a bug. I have raised an internal issue FISH-7941, and the Platform Development team is going to solve the issue in due course.

Thank you very much for your report!

Best regards, Felix