On 28/02/2011 21:31, Leo Donahue - PLANDEVX wrote:
> A security audit of my site indicated a "Missing HttpOnly attribute in
> Session Cookie" problem. If this is a security problem,
In and off itself a missing httpOnly attribute is not a security
vulnerability. It is, however, a good idea to ena
A security audit of my site indicated a "Missing HttpOnly attribute in Session
Cookie" problem. If this is a security problem, then why does the useHttpOnly
attribute in Context default to false? I'm not specifically setting any
cookies...
http://tomcat.apache.org/tomcat-6.0-doc/config/contex
