Hi,
In order to prevent attacks we should do $subject. For this there are
couple of things specified in the security checklist.
1. cookies are exposed only over HTTP
in repository/conf/tomcat/context.xml set,
*useHttpOnly="true"*
2. cookies are exposed only over HTTPS
in all web.xml configs set,
<session-config>
<cookie-config>
*<secure>true</secure>*
</cookie-config>
</session-config>
Shall we enable these by default from kernel level where applicable?.
[1] https://www.owasp.org/index.php/HttpOnly
thanks,
--
Supun Malinga,
Senior Software Engineer,
WSO2 Inc.
http://wso2.com
email: [email protected] <[email protected]>
mobile: +94 (0)71 56 91 321
_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev
