tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Kolinko <knst.koli...@gmail.com>
Subject Re: HttpOnly
Date Tue, 12 Jun 2012 07:27:44 GMT
2012/6/12 N.s.Karthik <nskarthik.k@gmail.com>:
> Hi
>
> Spec
> JDK1.6
> Tomcat 6.0.10
> O/s Win / Linux(r-Hat)
> Browser : Crome 19.0.x / IE8
>
> For some specific Reason We use Tomcat 6.0.10 for Dev/Deploy in INTRANET.
>
> I have Googled / Yahooed for the same..... "HttpOnly"
>
> 1 form suggested to use Filters and set Cookie Headers as alternative for
> Handling "HttpOnly"
>
> How ever with this setting we are able to see multiple Cookies being set
>

I am sure that you cannot do it with a Filter, just because of that
double Set-Cookie header issue. It might be possible with a Valve
though, but YMMV.

Anyway, if you are seriously worrying about security, you should not
use such an outdated version of Tomcat.
http://tomcat.apache.org/security-6.html

Built-in support for HttpOnly is available since Tomcat 6.0.20 (issue
44382), which was released 3 years ago.

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message