[
https://issues.apache.org/jira/browse/SHIRO-139?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Les Hazlewood resolved SHIRO-139.
---------------------------------
Resolution: Fixed
org.apache.shiro.web.servlet.Cookie interface now provides isHttpOnly() and
setHttpOnly(boolean httpOnly) methods and the
org.apache.shiro.web.servlet.SimpleCookie implementation supports setting the
'Set-Cookie' header with the HttpOnly flag as necessary.
> Cookie support refactoring - Simplify cookie configuration, support HttpOnly
> cookies and default session cookies to be HttpOnly = true
> --------------------------------------------------------------------------------------------------------------------------------------
>
> Key: SHIRO-139
> URL: https://issues.apache.org/jira/browse/SHIRO-139
> Project: Shiro
> Issue Type: Improvement
> Components: Web
> Affects Versions: 1.0.0
> Reporter: Les Hazlewood
> Fix For: 1.0.0
>
> Original Estimate: 3h
> Remaining Estimate: 3h
>
> It would also be prudent to refactor the cookie support in Shiro to
> 1) remove the overly verbose and complex RequestAttribute /
> CookieRequestAttribute concepts. This existed as a way to shield Shiro from
> implementation details on how to persist and retrieve data across requests.
> It'd be better to allow end-users to just configure a Cookie pojo instance
> that is set on cookie-capable components which in turn use a mechanism to
> set/remove the cookie
> 2) support the notion of HttpOnly cookies, which the servlet 2.4/2.5 does not
> support, but we could support with our own Cookie pojo used in configuration
> (see #1) which we set on the response header directly ( response.setHeader
> instead of response.addCookie)
> 3) After adding #2, default Shiro's session cookie to be HttpOnly = true for
> added security to reduce XSS attacks.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
