[
https://issues.apache.org/jira/browse/SLING-1762?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Felix Meschberger resolved SLING-1762.
--------------------------------------
Resolution: Fixed
Implemented support for HttpOnly cookies in Rev. 996543
> Improve security of form auth handler cookies
> ---------------------------------------------
>
> Key: SLING-1762
> URL: https://issues.apache.org/jira/browse/SLING-1762
> Project: Sling
> Issue Type: Improvement
> Components: Authentication
> Affects Versions: Form Based Authentication 1.0.0
> Reporter: Felix Meschberger
> Assignee: Felix Meschberger
> Fix For: Form Based Authentication 1.0.2
>
>
> There is a nice feature of Cookie support in browsers today, which prevents
> cookies from being accessed in client side Javascript: "HttpOnly". This makes
> using cookies almost as save as HTTP Basic Authentication from the POV of
> accessing the data from client-side JavaScript.
> The cookie(s) produced by the Form Authentication Handler should be protected
> using this attribute.
> The drawback is, that the Set-Cookie response header must be created manually
> because the Servlet API Cookie class up to and including 2.5 does not support
> setting this attribute (Servlet API 3.0 Cookie supports it, but we don't
> support Servlet API 3.0)
> See http://www.owasp.org/index.php/HttpOnly for full details and
> http://www.browserscope.org/?category=security for up to date browser support
> information.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
