tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jim Manico" <...@manico.net>
Subject Re: Support for httpOnly cookies in Tomcat 6.0.x
Date Sat, 28 Feb 2009 22:31:52 GMT
Mark,

I for one an thrilled to see HTTPOnly support for Session Cookies in Tomcat 
6.0 get close to fruition.

My oinion is that I think that session cookies should not be tagged as 
HTTPOnly for Tomcat 6 by default. (Of course configuration should allow for 
turning this on).

I worry that it's going to be rather tough to get to the bottom of what is 
going wrong - when extreme edge cases of HTTPOnly use causes a problem.

Either way, adding HTTPOnly to Tomcat 6 will certainly go a long way is 
stopping session-theft based XSS attacks at the configuration level so that 
programmers will not need to do anything to win this protection. Sadly, 
Yahoo's job board was hacked with a XSS session theft attack just a few 
months ago - HTTPOnly would have stopped it.

Best Regards to you all,
(even Remy),
Jim





----- Original Message ----- 
From: "Mark Thomas" <markt@apache.org>
To: "Tomcat Developers List" <dev@tomcat.apache.org>
Sent: Wednesday, February 25, 2009 5:56 AM
Subject: Re: Support for httpOnly cookies in Tomcat 6.0.x


> Ping. This has been hanging around the status file for a while and I'd
> quite like to complete it.
>
> Mark
>
> Mark Thomas wrote:
>> Folks,
>>
>> The implementation of httpOnly support in Tomcat 7 fits well with the 
>> previous
>> httpOnly patch [1] that is currently the proposed backport for 6.0.x
>>
>> When originally proposed there was some concern that the v3 servlet spec 
>> may
>> require some changes. This hasn't been the case. With that in mind could 
>> folks
>> please review their comments and votes for this patch. I'd like to get it 
>> into
>> 6.0.19 if posible.
>>
>> If you still think there is room for improvement, I'm happy to take 
>> another look
>> at this. Some pointers as to how you think things could/should be 
>> improved would
>> be appreciated.
>>
>> If you do vote for this patch, please remember to indicate your 
>> preference for
>> using or not using httpOnly for session cookies by default.
>>
>> Cheers,
>>
>> Mark
>>
>> [1] http://svn.apache.org/viewvc?view=rev&revision=694992
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message