tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 44382] Need to add support for HTTPOnly session cookie parameter
Date Sun, 31 Jan 2010 20:23:35 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=44382

--- Comment #23 from August Detlefsen <augustd@codemagi.com> 2010-01-31 12:23:31 UTC
---
(In reply to comment #22)
> This has been applied to 5.5.x and will be included in 5.5.28 onwards.

On Tomcat 5.5.28, when using context.xml.default to setup attributes for all
contexts, this appears to have no effect. For example, in my
context.xml.default for a particular host I have: 

<Context reloadable="true" swallowOutput="true" crossContext="true"
allowLinking="true" unpackWAR="false" useHttpOnly="true">

And yet if I setup a page with: 

<script type="text/javascript">
document.write(document.cookie);
</script>

I still get cookie information written to the output: 

JSESSIONID=A7FB0749E8CDE79E7687E2DABF932BE2;
JSESSIONID=7924B5D74D10AD458191C6292196C87A 

Do I need to specify this individually for every context?

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message