Context - useHttpOnly

2011-02-28 Thread Leo Donahue - PLANDEVX 
A security audit of my site indicated a Missing HttpOnly attribute in Session 
Cookie problem.  If this is a security problem, then why does the useHttpOnly 
attribute in Context default to false?  I'm not specifically setting any 
cookies...

http://tomcat.apache.org/tomcat-6.0-doc/config/context.html

Using CATALINA_BASE:   C:\apache-tomcat-6.0.29
Using CATALINA_HOME:   C:\apache-tomcat-6.0.29
Using CATALINA_TMPDIR: C:\apache-tomcat-6.0.29\temp
Using JRE_HOME:C:\Program Files\Java\jdk1.6.0_20
Using CLASSPATH:   C:\apache-tomcat-6.0.29\bin\bootstrap.jar
Server version: Apache Tomcat/6.0.29
Server built:   July 19 2010 1458
Server number:  6.0.0.29
OS Name:Windows 2003
OS Version: 5.2
Architecture:   x86
JVM Version:1.6.0_20-b02
JVM Vendor: Sun Microsystems Inc

Leo

Re: Context - useHttpOnly

2011-02-28 Thread Mark Thomas 
On 28/02/2011 21:31, Leo Donahue - PLANDEVX wrote:
 A security audit of my site indicated a Missing HttpOnly attribute in 
 Session Cookie problem.  If this is a security problem,

In and off itself a missing httpOnly attribute is not a security
vulnerability. It is, however, a good idea to enable it since it
provides a fair amount of protection should your web app have an XSS
vulnerability (and most apps do).

 then why does the useHttpOnly attribute in Context default to false?

Backwards compatibility. The feature was added just after a lot of other
cookie changes (to make Tomcat more specification compliant) that caused
issues for a fair number of users whose apps were not spec compliant.
The Tomcat devs voted to make it disabled by default to reduce the risk
of further backwards compatibility issues.

It is enabled by default in Tomcat 7.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org