On 06/18/2013 02:52 PM, cfern...@sju.edu wrote: > It's in the Spring configuration for ticketGrantingTicketCookieGenerator. > That bean takes a boolean parameter named "cookieSecure". I'll let you guess > what it does.
Right, the p:cookieSecure sets the Secure flag. The CookieRetrievingCookieGenerator.java code behind ticketGrantingTicketCookieGenerator does not look to reference the httpOnly flag. Our current container (Tomcat 6) supports the Servlet 2.5 API, so I'd guess the CAS code can't/won't use the httpOnly flag without extension. http://www.daodecode.com/blog/2013/03/25/castgc-cookie-and-httponly-flag/ Perhaps you're running a container that supports the Servlet 3.0 API? http://docs.oracle.com/javaee/5/api/javax/servlet/http/Cookie.html vs. http://docs.oracle.com/javaee/6/api/javax/servlet/http/Cookie.html#setHttpOnly%28boolean%29 Guess I could run Tomcat 7 or Jetty 8 (was trying to use RedHat native packages if possible). Tom. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user