[
https://issues.apache.org/jira/browse/TAP5-2327?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15182997#comment-15182997
]
Barry Books commented on TAP5-2327:
-----------------------------------
I believe you have to switch to Java 7 to get the servlet 3.0 spec and Jetty 7
in Tapestry test only supports 2.5. Currently setting the httpOnly flag is way
more difficult than it should be because the framework does not support it at
all. I do it now by overriding the service and always setting the httpOnly flag
if I'm in production mode. The works OK if you always want to set the flag.
I though about patching the service to log an error if the httponly flag is set
but then the logs get filled up and in the end I decided not supporting
httponly is a documentation problem. Either way would be fine with me but I
think the application should be able to set the httpOnly flag and have the
service adapt to whatever the environment is.
I'm also assuming this will be in 5.5 anyway.
> The Cookies interface should provide an option to mark cookies as httpOnly
> --------------------------------------------------------------------------
>
> Key: TAP5-2327
> URL: https://issues.apache.org/jira/browse/TAP5-2327
> Project: Tapestry 5
> Issue Type: New Feature
> Components: tapestry-core
> Affects Versions: 5.3.7, 5.4
> Reporter: Martin Schneider
> Attachments:
> 0001-TAP-2327-add-httpOnly-method-to-support-Servlet-3.0.patch,
> 0002-TAP-2327-add-support-for-version-and-comment.patch
>
>
> Since Servlet 3.0 there is an option to mark cookies as httpOnly via
> javax.servlet.http.Cookie.setHttpOnly(boolean). There should be an option to
> use that in org.apache.tapestry5.services.Cookies. In 5.3.7 the default
> implementation does not set the httpOnly flag.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
