Security hat on. Curious, any technical reason why the current CAS server (3.5.x) does not appear to use HttpOnly on its CASTGC cookie?
Will it be available/implemented/as an option in 4.0? (I've seen ways to set the flag in e.g. web.xml; just wondering) Thanks. Tom. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user