tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 44382] Need to add support for HTTPOnly session cookie parameter
Date Fri, 25 Jul 2008 01:47:25 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=44382





--- Comment #9 from Jim Manico <jim@manico.net>  2008-07-24 18:47:23 PST ---
Thank you for your support to see my HttpOnly session id patch get pushed into
a future release of Tomcat. Several of the committers tell me that this patch
will indeed go live in a future release - after the recent dramatic and
dramatic changes to cookie encoding settles down.

The patches I submitted are rather simple, this is not rocket science. (And it
will indeed break very old/obscure browsers like IE 5.5 on Mac). My patch does
not change anything by default - it requires a configuration change to make the
JSESSIONID cookies HttpOnly. I prefer secure by default, but I think this is a
fair compromise to encourage the powers-that-be to push this live, hopefully
soon. 


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message