Symantec Access Management

We have a client using a Java Applet which is using SiteMinder SSO.  The client wants to enable http-only cookies in SiteMinder.

Java Applets in Internet Explorer can read HttpOnly cookies, but only if the case used for the word HttpOnly in the "Set-Cookie:" header is "HttpOnly".   SiteMinder's SMSESSION cookie uses "HTTPOnly" which causes Java to not read the cookie at all.   This results in SiteMinder timing out the application.

According to RFC 6265, the word should be "HttpOnly".

https://tools.ietf.org/html/rfc6265#section-5.2.6

It seems like most, if not all browser will except difference case, but Java is a stickler to following the RFC and only works with "HttpOnly".  

As far as I can tell from searching, only SiteMinder sets this parameter as "HTTPOnly" instead of "HttpOnly".  Is there some way to get SiteMinder to set the case so that it correctly sends "HttpOnly" instead of "HTTPOnly"?

Actually re-reading the RFC, this seems to be a Java bug as it appears the word "HttpOnly" should be "case-insensitively matched".

Hi Michael

Are you able to open a support case? - then we can follow up internally with our Sustaining Engineering groups, as a potential incompatability bug.  

Technically as you say, it is a bug in the JRE, and java should parse the HttpOnly attribute in  case insensitive manner. and so HTTPOnly should work as well as HttpOnly.  Unfortunatly the value is compiled in and not something that is in a configurable via a properties file change. 

But for standards it is often good to adopt the most common usage, to avoid falling into some of these cracks - so it may be possible that we can deliver a fix - depending on what our SE team determines. 

Cheers - Mark

----
Mark O'Donohue
Snr Principal Support Engineer - Global Customer Success

I've asked the client to open a support ticket.  I will respond here when they do.