Re: Support for httpOnly cookies in Tomcat 6.0.x

Sat, 28 Feb 2009 14:32:32 -0800 

Mark,
I for one an thrilled to see HTTPOnly support for Session Cookies in Tomcat 6.0 get close to fruition. 


My oinion is that I think that session cookies should not be tagged as 
HTTPOnly for Tomcat 6 by default. (Of course configuration should allow for 
turning this on).



I worry that it's going to be rather tough to get to the bottom of what is 
going wrong - when extreme edge cases of HTTPOnly use causes a problem.



Either way, adding HTTPOnly to Tomcat 6 will certainly go a long way is 
stopping session-theft based XSS attacks at the configuration level so that 
programmers will not need to do anything to win this protection. Sadly, 
Yahoo's job board was hacked with a XSS session theft attack just a few 
months ago - HTTPOnly would have stopped it.


Best Regards to you all,
(even Remy),
Jim






----- Original Message ----- 
From: "Mark Thomas" <ma...@apache.org>

To: "Tomcat Developers List" <dev@tomcat.apache.org>
Sent: Wednesday, February 25, 2009 5:56 AM
Subject: Re: Support for httpOnly cookies in Tomcat 6.0.x



Ping. This has been hanging around the status file for a while and I'd
quite like to complete it.

Mark

Mark Thomas wrote:

Folks,


The implementation of httpOnly support in Tomcat 7 fits well with the 
previous

httpOnly patch [1] that is currently the proposed backport for 6.0.x


When originally proposed there was some concern that the v3 servlet spec 
may
require some changes. This hasn't been the case. With that in mind could 
folks
please review their comments and votes for this patch. I'd like to get it 
into

6.0.19 if posible.


If you still think there is room for improvement, I'm happy to take 
another look
at this. Some pointers as to how you think things could/should be 
improved would

be appreciated.


If you do vote for this patch, please remember to indicate your 
preference for

using or not using httpOnly for session cookies by default.

Cheers,

Mark

[1] http://svn.apache.org/viewvc?view=rev&revision=694992


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org






---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org





---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org























					Reply via email to