Applet and HttpOnly cookies in IE 6.0 SP1

[Adarsh Bhat]

Hello all.

I am working on a trusted file upload applet. This applet creates a
HttpURLConnection object and simulates a browser POST request. It
uploads form variables and also sends one or more files to the server.

Microsoft has introduced support for a new kind of cookie in Internet
Explorer 6.0 SP1. This is called as a "HttpOnly" cookie and scripts do
not have access to this cookie. (The cookie does not show up in
document.cookie variable).

My server side script that receives the request is an ASP.NET script.
Since ASP.NET 2.0, the ASPNET_SessionID cookie is sent as a httpcookie.

When my applet does the POST request, it is able to pick up all the
cookies, but the ASPNET_SessionID cookie. This is causing my session to
expire. Is there a way I can pick up HttpOnly cookies too?

This problem exists only when I'm using the Sun Plugin for IE. When I
use MS JVM everything is fine. I'm using Sun Plugin version 1.4.2_04.

Any help is appreciated.

Adarsh Bhat

 

[Adarsh Bhat]

Microsoft has introduced support for a new kind of cookie in Internet

Explorer 6.0 SP1. This is called as a "HttpOnly" cookie and scripts do
not have access to this cookie. (The cookie does not show up in
document.cookie variable).

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure10102002.asp

 

[Adarsh Bhat]

Adarsh Bhat wrote:
...

If MS do not want scripts to access the cookie, they probably
would not allow Java to access it, as that would be a simple
way to get around it (an Applet could read the cookie and pass
it to JavaScript).

It is not required that the applet be able to read the said cookie. The
browser automagically adds cookie headers to the request sent by applet
via the URLConnection. In my code I'm not explicitly reading and
setting cookies anywhere. In the case of the Sun plugin, all cookies
except the HttpOnly cookie get sent. In the case of MS JVM, *all*
cookies are sent.

Adarsh Bhat