Folks, The implementation of httpOnly support in Tomcat 7 fits well with the previous httpOnly patch [1] that is currently the proposed backport for 6.0.x
When originally proposed there was some concern that the v3 servlet spec may require some changes. This hasn't been the case. With that in mind could folks please review their comments and votes for this patch. I'd like to get it into 6.0.19 if posible. If you still think there is room for improvement, I'm happy to take another look at this. Some pointers as to how you think things could/should be improved would be appreciated. If you do vote for this patch, please remember to indicate your preference for using or not using httpOnly for session cookies by default. Cheers, Mark [1] http://svn.apache.org/viewvc?view=rev&revision=694992 --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org