Security hat on. Curious, any technical reason why the current CAS server (3.5.x) does not appear to use HttpOnly on its CASTGC cookie?
This has nothing to do with CAS per se but the servlet spec level we're targeting. I believe we're officially 2.5 or 2.6, which doesn't support that flag [1].
Will it be available/implemented/as an option in 4.0?
I think it would be wise to consider. Targeting servlet 3.0 is JEE6, I believe, which supports HttpOnly [2]. Could you file a Jira issue?
Thanks, M [1] http://docs.oracle.com/javaee/5/api/javax/servlet/http/Cookie.html [2] http://docs.oracle.com/javaee/6/api/javax/servlet/http/Cookie.html -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user