You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2010/01/31 21:23:35 UTC

DO NOT REPLY [Bug 44382] Need to add support for HTTPOnly session cookie parameter

https://issues.apache.org/bugzilla/show_bug.cgi?id=44382

--- Comment #23 from August Detlefsen <au...@codemagi.com> 2010-01-31 12:23:31 UTC ---
(In reply to comment #22)
> This has been applied to 5.5.x and will be included in 5.5.28 onwards.

On Tomcat 5.5.28, when using context.xml.default to setup attributes for all
contexts, this appears to have no effect. For example, in my
context.xml.default for a particular host I have: 

<Context reloadable="true" swallowOutput="true" crossContext="true"
allowLinking="true" unpackWAR="false" useHttpOnly="true">

And yet if I setup a page with: 

<script type="text/javascript">
document.write(document.cookie);
</script>

I still get cookie information written to the output: 

JSESSIONID=A7FB0749E8CDE79E7687E2DABF932BE2;
JSESSIONID=7924B5D74D10AD458191C6292196C87A 

Do I need to specify this individually for every context?

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org