Hello Charles; thanks very much for bringing this up. I vote +1 on this proposal.
Just to add a bit more details for others: The 3.0 Servlet Spec was finalized at the end of 2009. The *earliest* versions of various containers that supported it are: - Jetty 8 (EOL'd since 11/2014) [1] - Tomcat 7 (Version 6 EOL'd 2017) [2] - JBoss Web 3.0.0 (version 2.x reached End of Maintenance 11/2017) [3] - Websphere 8.0 (End of support 4/2018) [4] - Weblogic 12cR1 (Extended Support until 12/2019) [5] The implication is that, of these products, there are *no* currently supported versions that *do not* support the Servlet 3.0 spec. I believe it is quite safe for us to indicate that the Session Modules are now only supported on 3.0 compliant containers. --Jens [1] - https://www.eclipse.org/jetty/documentation/current/what-jetty-version.html [2] - http://tomcat.apache.org/whichversion.html [3] - https://access.redhat.com/support/policy/updates/jboss_notes [4] - https://en.wikipedia.org/wiki/IBM_WebSphere_Application_Server [5] - https://www.solstice.com/fwd/survival-guide-to-webspheres-and-weblogics-end-of-life On Fri, Nov 15, 2019 at 8:11 AM Charles Smith <smith...@macewan.ca> wrote: > Hello, > > The Geode HTTP Session Management Module for AppServers currently states: > This approach is a generic solution, which is supported by any container > that implements the Servlet 2.4 specification. > I would like to suggest that this official support be bumped up to the > Servlet 3.0 specification. > > There are some important cookie security features missing in the ancient > Servlet 2.4 spec, namely the secure and httpOnly flags. Bumping support to > Servlet 3.0 would allow the Geode AppServer session module to inherently > support these session cookie security features. > > I have logged the following Jira issue: > > https://issues.apache.org/jira/browse/GEODE-7438 > > and submitted a pull request that provides the necessary support if the > Geode community agrees this is a good idea. > > And thank you for the excellent Apache Geode project! > > -- > > Charles Smith > > Developer/Analyst > > Web Architecture and Development > MacEwan University > smith...@macewan.ca > >