[Bug 69478] New: Cookie setSecure and setHttpOnly ignore argument

bugzilla Wed, 27 Nov 2024 03:23:43 -0800

https://bz.apache.org/bugzilla/show_bug.cgi?id=69478


            Bug ID: 69478
           Summary: Cookie setSecure and setHttpOnly ignore argument
           Product: Tomcat 11
           Version: 11.0.1
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: regression
          Priority: P2
         Component: Servlet
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: -------

Both methods on Cookie [1] `setSecure(bool)` and `setHttpOnly(bool)` ignore the
argument given to them. This effectively means calling `setHttpOnly(false)` on
a cookie actually enables the HttpOnly flag for the cookie instead of disabling
it, breaking the browser's access to the cookie value.

This was changed in a commit [2] for tomcat 11, intending to change the data
internals of the cookie. However, I don't assume this breaking change was
intended because the doc stayed the same and still suggests the proper
behavior.

[1]:
https://github.com/apache/tomcat/blob/main/java/jakarta/servlet/http/Cookie.java
[2]:
https://github.com/apache/tomcat/commit/4ca2a66d6203ce7843fbaa9fd47be82cba477781

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[Bug 69478] New: Cookie setSecure and setHttpOnly ignore argument

Reply via email to