shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Matt Baker (JIRA)" <j...@apache.org>
Subject [jira] [Created] (SHIRO-601) deleted cookies don't set httpOnly flag. trigger warnings in PEN tools
Date Thu, 10 Nov 2016 13:59:59 GMT
Matt Baker created SHIRO-601:
--------------------------------

             Summary: deleted cookies don't set httpOnly flag. trigger warnings in PEN tools
                 Key: SHIRO-601
                 URL: https://issues.apache.org/jira/browse/SHIRO-601
             Project: Shiro
          Issue Type: Bug
          Components: Session Management
    Affects Versions: 1.3.2
         Environment: java 1.7.045
            Reporter: Matt Baker


When Shiro deletes a session cookie on logout it explicitly sets the httpOnly flag to false.
 This is triggering false positive warnings in PEN testing tools like OWASP.

To avoid this, Shiro should ALWAYS set the httpOnly flag for its session cookies whether they
are being set to 'deleteMe' or not.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message