Bug 49749 - SSO cookie should be added as HttpOnly
Summary: SSO cookie should be added as HttpOnly
Alias: None
Product: Tomcat 5
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 5.5.29
Hardware: PC Windows XP
: P2 normal (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2010-08-13 19:18 UTC by dheinecke
Modified: 2010-09-07 12:05 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description dheinecke 2010-08-13 19:18:22 UTC
SSO cookies should be made HttpOnly by default.

In org.apache.catalina.authenticator.AuthenticatorBase#register(), 

798- response.addCookie(cookie);
798+ response.addCookieInternal(cookie, true);
Comment 1 dheinecke 2010-08-16 13:04:28 UTC
Since the setting of HttpOnly should be controlled by the useHttpOnly attribute of the context, the code should probably read:

798- response.addCookie(cookie)
798+ response.addCookieInternal(cookie, request.getContext.getUserHttpOnly());
Comment 2 Mark Thomas 2010-08-25 07:38:06 UTC
This has been fixed in trunk and will be included in 7.0.3 onwards.

I'll take a look at proposing backports for 6.0.x and 5.5.x.
Comment 3 Mark Thomas 2010-08-25 08:08:59 UTC
Patch proposed for 6.0.x and 5.5.x
Comment 4 Mark Thomas 2010-09-03 12:56:49 UTC
Fixed in trunk and will be in 5.5.31 onwards.
Comment 5 Mark Thomas 2010-09-07 12:05:39 UTC
Fixed in 6.0.x and will be included in 6.0.30 onwards.