On 28/02/2011 21:31, Leo Donahue - PLANDEVX wrote: > A security audit of my site indicated a "Missing HttpOnly attribute in > Session Cookie" problem. If this is a security problem,
In and off itself a missing httpOnly attribute is not a security vulnerability. It is, however, a good idea to enable it since it provides a fair amount of protection should your web app have an XSS vulnerability (and most apps do). > then why does the useHttpOnly attribute in Context default to false? Backwards compatibility. The feature was added just after a lot of other cookie changes (to make Tomcat more specification compliant) that caused issues for a fair number of users whose apps were not spec compliant. The Tomcat devs voted to make it disabled by default to reduce the risk of further backwards compatibility issues. It is enabled by default in Tomcat 7. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
