https://issues.apache.org/bugzilla/show_bug.cgi?id=49716
Summary: HttpOnly flag can't be turned off for JSESSIONID
Product: Tomcat 7
Version: unspecified
Platform: PC
Status: NEW
Severity: normal
Priority: P2
Component: Servlet & JSP API
AssignedTo: [email protected]
ReportedBy: [email protected]
Using a simple JSP that contains only text verified that the HTTPOnly flag is
always set for the JSESSIONID when using either of the following
configurations:
<cookie-config>
<http-only>true</http-only>
</cookie-config>
<cookie-config>
<http-only>false</http-only>
</cookie-config>
Specifying false should create a JSESSIONID without the HttpOnly flag.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
