Matt Baker created SHIRO-601:
--------------------------------
Summary: deleted cookies don't set httpOnly flag. trigger warnings
in PEN tools
Key: SHIRO-601
URL: https://issues.apache.org/jira/browse/SHIRO-601
Project: Shiro
Issue Type: Bug
Components: Session Management
Affects Versions: 1.3.2
Environment: java 1.7.045
Reporter: Matt Baker
When Shiro deletes a session cookie on logout it explicitly sets the httpOnly
flag to false. This is triggering false positive warnings in PEN testing tools
like OWASP.
To avoid this, Shiro should ALWAYS set the httpOnly flag for its session
cookies whether they are being set to 'deleteMe' or not.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
