Return-Path: Delivered-To: apmail-tomcat-dev-archive@www.apache.org Received: (qmail 32353 invoked from network); 8 Feb 2008 05:40:10 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 8 Feb 2008 05:40:10 -0000 Received: (qmail 59453 invoked by uid 500); 8 Feb 2008 05:40:01 -0000 Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org Received: (qmail 59391 invoked by uid 500); 8 Feb 2008 05:40:01 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 59380 invoked by uid 99); 8 Feb 2008 05:40:01 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 07 Feb 2008 21:40:01 -0800 X-ASF-Spam-Status: No, hits=3.2 required=10.0 tests=HTML_MESSAGE,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [64.233.166.178] (HELO py-out-1112.google.com) (64.233.166.178) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 08 Feb 2008 05:39:31 +0000 Received: by py-out-1112.google.com with SMTP id z57so11684690pyg.34 for ; Thu, 07 Feb 2008 21:39:38 -0800 (PST) Received: by 10.65.180.9 with SMTP id h9mr23745780qbp.41.1202449177603; Thu, 07 Feb 2008 21:39:37 -0800 (PST) Received: from DELALTD830LAB3 ( [65.125.25.131]) by mx.google.com with ESMTPS id d5sm10588894qbd.18.2008.02.07.21.39.31 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 07 Feb 2008 21:39:36 -0800 (PST) From: "Jim Manico" To: Subject: Adding HTTPONLY cookie support option to Tomcat 5.5/6 Date: Fri, 8 Feb 2008 00:38:23 -0500 Message-ID: <001a01c86a14$d32756c0$79760440$@net> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_001B_01C869EA.EA514EC0" X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AchqFMtWQJ1lqCvASdCALz/tYOGwQA== Content-Language: en-us X-Virus-Checked: Checked by ClamAV on apache.org ------=_NextPart_000_001B_01C869EA.EA514EC0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Hello, You folks rock - I have used Tomcat at Sun for many projects - it's been rock solid. I'd like to add something back to the community. I'm hot on adding support for the HTTPONLY cookie flag for security purposes now that IE and Tomcat support it for XSS and other security protections. 1) Can I add this to both 5.5 and 6 as a Session Manager option? 2) Where do you recommend I start? 3) Should I post my code samples to the list before I check in? This is my first time contributing to Tomcat, any guidance to get me started would be greatly appreciated. Best, Jim Manico ------=_NextPart_000_001B_01C869EA.EA514EC0--