tapestry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Barry Books (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (TAP5-2327) The Cookies interface should provide an option to mark cookies as httpOnly
Date Thu, 20 Aug 2015 12:52:47 GMT

    [ https://issues.apache.org/jira/browse/TAP5-2327?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14704812#comment-14704812
] 

Barry Books commented on TAP5-2327:
-----------------------------------

I needed httpOnly cookies but Tapestry also uses Jetty 7 for testing so I wrote a method that
uses reflection to see of the httpOnly method is available and calls it if it's there. This
allows you to run in a 2.5 container and use httpOnly if you are in a 3.0 container.

> The Cookies interface should provide an option to mark cookies as httpOnly
> --------------------------------------------------------------------------
>
>                 Key: TAP5-2327
>                 URL: https://issues.apache.org/jira/browse/TAP5-2327
>             Project: Tapestry 5
>          Issue Type: New Feature
>          Components: tapestry-core
>    Affects Versions: 5.3.7
>            Reporter: Martin Schneider
>              Labels: security
>
> Since Servlet 3.0 there is an option to mark cookies as httpOnly via javax.servlet.http.Cookie.setHttpOnly(boolean).
There should be an option to use that in org.apache.tapestry5.services.Cookies. In 5.3.7 the
default implementation does not set the httpOnly flag.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message