Summary: | SSO cookie should be added as HttpOnly | ||
---|---|---|---|
Product: | Tomcat 5 | Reporter: | dheinecke |
Component: | Catalina | Assignee: | Tomcat Developers Mailing List <dev> |
Status: | RESOLVED FIXED | ||
Severity: | normal | ||
Priority: | P2 | ||
Version: | 5.5.29 | ||
Target Milestone: | --- | ||
Hardware: | PC | ||
OS: | Windows XP |
Description
dheinecke
2010-08-13 19:18:22 UTC
Since the setting of HttpOnly should be controlled by the useHttpOnly attribute of the context, the code should probably read: 798- response.addCookie(cookie) 798+ response.addCookieInternal(cookie, request.getContext.getUserHttpOnly()); This has been fixed in trunk and will be included in 7.0.3 onwards. I'll take a look at proposing backports for 6.0.x and 5.5.x. Patch proposed for 6.0.x and 5.5.x Fixed in trunk and will be in 5.5.31 onwards. Fixed in 6.0.x and will be included in 6.0.30 onwards. |