tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 44382] Need to add support for HTTPOnly session cookie parameter
Date Fri, 25 Jul 2008 01:47:25 GMT

--- Comment #9 from Jim Manico <>  2008-07-24 18:47:23 PST ---
Thank you for your support to see my HttpOnly session id patch get pushed into
a future release of Tomcat. Several of the committers tell me that this patch
will indeed go live in a future release - after the recent dramatic and
dramatic changes to cookie encoding settles down.

The patches I submitted are rather simple, this is not rocket science. (And it
will indeed break very old/obscure browsers like IE 5.5 on Mac). My patch does
not change anything by default - it requires a configuration change to make the
JSESSIONID cookies HttpOnly. I prefer secure by default, but I think this is a
fair compromise to encourage the powers-that-be to push this live, hopefully

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message