Where do you see that? In the Chrome dev tool I can see that our CAS 3.5.2 installation sends both HttpOnly and Secure. I didn't make any major changes from the defaults, either.
Best regards, -- Carlos M. Fernández Sr. Enterprise Systems Admin Saint Joseph's University W: 610-660-1501 M: 215-316-1193 E: cfern...@sju.edu On Jun 18, 2013, at 17:20, Tom Poage <tfpo...@ucdavis.edu> wrote: > Security hat on. Curious, any technical reason why the current CAS > server (3.5.x) does not appear to use HttpOnly on its CASTGC cookie? > > Will it be available/implemented/as an option in 4.0? > > (I've seen ways to set the flag in e.g. web.xml; just wondering) > > Thanks. > Tom. > > -- > You are currently subscribed to cas-user@lists.jasig.org as: cfern...@sju.edu > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user