Mark,
I for one an thrilled to see HTTPOnly support for Session Cookies in Tomcat
6.0 get close to fruition.
My oinion is that I think that session cookies should not be tagged as
HTTPOnly for Tomcat 6 by default. (Of course configuration should allow for
turning this on).
I worry that it's going to be rather tough to get to the bottom of what is
going wrong - when extreme edge cases of HTTPOnly use causes a problem.
Either way, adding HTTPOnly to Tomcat 6 will certainly go a long way is
stopping session-theft based XSS attacks at the configuration level so that
programmers will not need to do anything to win this protection. Sadly,
Yahoo's job board was hacked with a XSS session theft attack just a few
months ago - HTTPOnly would have stopped it.
Best Regards to you all,
(even Remy),
Jim
- Original Message -
From: Mark Thomas ma...@apache.org
To: Tomcat Developers List dev@tomcat.apache.org
Sent: Wednesday, February 25, 2009 5:56 AM
Subject: Re: Support for httpOnly cookies in Tomcat 6.0.x
Ping. This has been hanging around the status file for a while and I'd
quite like to complete it.
Mark
Mark Thomas wrote:
Folks,
The implementation of httpOnly support in Tomcat 7 fits well with the
previous
httpOnly patch [1] that is currently the proposed backport for 6.0.x
When originally proposed there was some concern that the v3 servlet spec
may
require some changes. This hasn't been the case. With that in mind could
folks
please review their comments and votes for this patch. I'd like to get it
into
6.0.19 if posible.
If you still think there is room for improvement, I'm happy to take
another look
at this. Some pointers as to how you think things could/should be
improved would
be appreciated.
If you do vote for this patch, please remember to indicate your
preference for
using or not using httpOnly for session cookies by default.
Cheers,
Mark
[1] http://svn.apache.org/viewvc?view=revrevision=694992
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org