tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: httpOnly issue
Date Wed, 08 Mar 2017 13:22:49 GMT
On 08/03/17 12:53, Pritchett, Mark S. (CONT) wrote:
> Hi All
> My first posting.
> Server version: Apache Tomcat/7.0.67
> JVM Version:    1.7.0_131-mockbuild_2017_02_07_02_15-b00
> A vulnerability scan has shown that tomcat doesn't apply httpOnly to come cookies.
> I need to determine if this can be 'corrected'.


> My understanding is that httpOnly is the default with this version of tomcat:
> Even so, I have set useHttpOnly in $CATALINA_BASE/conf/context.xml, but the issue is
still reported by a scan.
> Any ideas please?

Read the docs more carefully. useHttpOnly applies to session cookies.

Any cookie the application creates, the application has to set the
httpOnly attribute appropriately.

You have an application problem, not a Tomcat problem.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message