Dao De Code

CASTGC Cookie and HttpOnly Flag

Let's assume you employ CAS to be your single sign-on solution. Upon receiving correct credentials from the user CAS generates CASTGC cookie, which is marked with Secured flag. And assume you want to add HttpOnly flag to the cookie, to prevent accessing it via non-HTTP methods. CAS of version 3.5.0 depends on servlet-api 2.5 and fancy setHttpOnly method has been added in version 3.0 of the servlet-api. So how do we deal with it?

Assuming you run your CAS in a servlet container based on servlet 3.0 specification (e.g. Jetty 8 or Tomcat 7) and use maven as your build tool you can do the following to make it happen:

  1. exclude old (2.5 and lower) servlet-api jars from dependencies. For example
  2. include new servlet-api jar (notice that artifact id has been changed)
  3. create your own version of CookieRetrievingCookieGenerator which supports HttpOnly flag. You want to extend this class because CAS relies on it internally.
        package com.daodecode.cas.web.support;
        import javax.servlet.http.Cookie;
        public class HttpOnlySupportingCookieGenerator
                extends org.jasig.cas.web.support.CookieRetrievingCookieGenerator {
            private boolean cookieHttpOnly = false;
            public void setCookieHttpOnly(boolean cookieHttpOnly) {
                this.cookieHttpOnly = cookieHttpOnly;
            protected Cookie createCookie(String cookieValue) {
                Cookie cookie = super.createCookie(cookieValue);
                return cookie;
  4. override TGT Cookie Generator creation providing your version of ticketGrantingTicketCookieGenerator.xml
        <bean id="ticketGrantingTicketCookieGenerator"
            cookiePath="${cas.cookie.path}" />


comments powered by Disqus