Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

Web and WebWorks Development

Reply
Contributor
hakanson
Posts: 36
Registered: ‎04-06-2010
My Device: Bold 9700
My Carrier: AT&T

Problem with Widget accepting HttpOnly cookies

I was playing with the 1.0 release of the Widget SDK today, so the easiest thing was to point it at my existing mobile web application in the <content> section of the config.xml.  I got to my login page, but then things quit working.  I ended up using Wireshark and tracked it down to problems with cookies flagged HttpOnly (we do this for security reasons).

 

To summarize, if an http response comes with these headers to set four cookies:


Set-Cookie: c0=Default; path=/
Set-Cookie: c1=Expires; expires=Wed, 07-Apr-2010 23:53:56 GMT; path=/
Set-Cookie: c2=ExpiresAndHttpOnly; expires=Wed, 07-Apr-2010 23:53:56 GMT; path=/; HttpOnly
Set-Cookie: c3=HttpOnly; path=/; HttpOnly

 

The next http request, only sends these two cookies; the ones not set as HttpOnly:

 

Cookie: c1=Expires; c0=Default

 

This seems like a bug in the Widget SDK, as these same cookies work outside of the Widget in the Browser.

 

Here is the c# code, I used to generate the cookies:

 

HttpCookie c0 = new HttpCookie("c0", "Default");

HttpCookie c1 = new HttpCookie("c1", "Expires");
c1.Expires = DateTime.Now.AddDays(1);

HttpCookie c2 = new HttpCookie("c2", "ExpiresAndHttpOnly");
c2.Expires = DateTime.Now.AddDays(1);
c2.HttpOnly = true;

HttpCookie c3 = new HttpCookie("c3", "HttpOnly");
c3.HttpOnly = true;

HttpContext.Current.Response.SetCookie(c0);
HttpContext.Current.Response.SetCookie(c1);
HttpContext.Current.Response.SetCookie(c2);
HttpContext.Current.Response.SetCookie(c3);

 

 

Please use plain text.
BlackBerry Development Advisor
tneil
Posts: 3,708
Registered: ‎10-16-2008
My Device: Z10
My Carrier: Rogers

Re: Problem with Widget accepting HttpOnly cookies

Hi hakason,

 

We have someone taking a look into this.

 

Stay tuned...

Tim Neil
Director, Application Platform & Tools Product Management
Follow me on Twitter
Please use plain text.
New Developer
nanotalk
Posts: 17
Registered: ‎10-05-2008
My Device: Not Specified

Re: Problem with Widget accepting HttpOnly cookies

Hi,

 

I just want to add another report. I also found this problem on BrowserField.

 

--

Nano Surbakti

Please use plain text.
New Contributor
crazy-weasel
Posts: 4
Registered: ‎08-23-2010
My Device: Curve 8520
My Carrier: A1

Re: Problem with Widget accepting HttpOnly cookies

Hi!

 

Sorry for digging out this quite old thread, but are there any updates on this?

 

I have problems with HttpOnly Cookies too. (..and I'm not in the position to change the cookies sent by the service I'm using...)

 

- Alex

Please use plain text.
Contributor
hakanson
Posts: 36
Registered: ‎04-06-2010
My Device: Bold 9700
My Carrier: AT&T

Re: Problem with Widget accepting HttpOnly cookies

I never heard back on this.  I was doing a prototype solution when I found this, so I just put that project on the back burner (where it still sits).  I am hoping that the OS 6.0 will work better.

Please use plain text.