[ https://issues.apache.org/jira/browse/SLING-1762?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Felix Meschberger resolved SLING-1762. -------------------------------------- Resolution: Fixed Implemented support for HttpOnly cookies in Rev. 996543 > Improve security of form auth handler cookies > --------------------------------------------- > > Key: SLING-1762 > URL: https://issues.apache.org/jira/browse/SLING-1762 > Project: Sling > Issue Type: Improvement > Components: Authentication > Affects Versions: Form Based Authentication 1.0.0 > Reporter: Felix Meschberger > Assignee: Felix Meschberger > Fix For: Form Based Authentication 1.0.2 > > > There is a nice feature of Cookie support in browsers today, which prevents > cookies from being accessed in client side Javascript: "HttpOnly". This makes > using cookies almost as save as HTTP Basic Authentication from the POV of > accessing the data from client-side JavaScript. > The cookie(s) produced by the Form Authentication Handler should be protected > using this attribute. > The drawback is, that the Set-Cookie response header must be created manually > because the Servlet API Cookie class up to and including 2.5 does not support > setting this attribute (Servlet API 3.0 Cookie supports it, but we don't > support Servlet API 3.0) > See http://www.owasp.org/index.php/HttpOnly for full details and > http://www.browserscope.org/?category=security for up to date browser support > information. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.