Well, you made me look, and sure enough the HttpOnly flag is not there. Bugger. Looking back, I'm pretty sure that I recalled working with our LMS, which does send HttpOnly and uses Tomcat6. Guess I have my breakfast made for today.
I imagine that CookieRetrievingCookieGenerator could be modified to use HttpServletResponse.addHeader instead of .addCookie and add the flags by hand. Best regards, -- Carlos. -----Original Message----- From: Tom Poage [mailto:tfpo...@ucdavis.edu] Sent: Tuesday, 18 June, 2013 19:45 To: cas-user@lists.jasig.org Subject: Re: [cas-user] HttpOnly cookie flag On 06/18/2013 02:52 PM, cfern...@sju.edu wrote: > It's in the Spring configuration for ticketGrantingTicketCookieGenerator. That bean takes a boolean parameter named "cookieSecure". I'll let you guess what it does. Right, the p:cookieSecure sets the Secure flag. The CookieRetrievingCookieGenerator.java code behind ticketGrantingTicketCookieGenerator does not look to reference the httpOnly flag. Our current container (Tomcat 6) supports the Servlet 2.5 API, so I'd guess the CAS code can't/won't use the httpOnly flag without extension. http://www.daodecode.com/blog/2013/03/25/castgc-cookie-and-httponly-flag/ Perhaps you're running a container that supports the Servlet 3.0 API? http://docs.oracle.com/javaee/5/api/javax/servlet/http/Cookie.html vs. http://docs.oracle.com/javaee/6/api/javax/servlet/http/Cookie.html#setHttp Only%28boolean%29 Guess I could run Tomcat 7 or Jetty 8 (was trying to use RedHat native packages if possible). Tom. -- You are currently subscribed to cas-user@lists.jasig.org as: cfern...@sju.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user