subject:"Support for httpOnly cookies in Tomcat 6.0.x"

Re: Support for httpOnly cookies in Tomcat 6.0.x

2009-02-28 Thread Jim Manico


Mark,

I for one an thrilled to see HTTPOnly support for Session Cookies in Tomcat 
6.0 get close to fruition.


My oinion is that I think that session cookies should not be tagged as 
HTTPOnly for Tomcat 6 by default. (Of course configuration should allow for 
turning this on).


I worry that it's going to be rather tough to get to the bottom of what is 
going wrong - when extreme edge cases of HTTPOnly use causes a problem.


Either way, adding HTTPOnly to Tomcat 6 will certainly go a long way is 
stopping session-theft based XSS attacks at the configuration level so that 
programmers will not need to do anything to win this protection. Sadly, 
Yahoo's job board was hacked with a XSS session theft attack just a few 
months ago - HTTPOnly would have stopped it.


Best Regards to you all,
(even Remy),
Jim





- Original Message - 
From: Mark Thomas ma...@apache.org

To: Tomcat Developers List dev@tomcat.apache.org
Sent: Wednesday, February 25, 2009 5:56 AM
Subject: Re: Support for httpOnly cookies in Tomcat 6.0.x



Ping. This has been hanging around the status file for a while and I'd
quite like to complete it.

Mark

Mark Thomas wrote:

Folks,

The implementation of httpOnly support in Tomcat 7 fits well with the 
previous

httpOnly patch [1] that is currently the proposed backport for 6.0.x

When originally proposed there was some concern that the v3 servlet spec 
may
require some changes. This hasn't been the case. With that in mind could 
folks
please review their comments and votes for this patch. I'd like to get it 
into

6.0.19 if posible.

If you still think there is room for improvement, I'm happy to take 
another look
at this. Some pointers as to how you think things could/should be 
improved would

be appreciated.

If you do vote for this patch, please remember to indicate your 
preference for

using or not using httpOnly for session cookies by default.

Cheers,

Mark

[1] http://svn.apache.org/viewvc?view=revrevision=694992


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org






-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org





-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: Support for httpOnly cookies in Tomcat 6.0.x

2009-02-25 Thread Mark Thomas

Ping. This has been hanging around the status file for a while and I'd
quite like to complete it.

Mark

Mark Thomas wrote:
 Folks,
 
 The implementation of httpOnly support in Tomcat 7 fits well with the previous
 httpOnly patch [1] that is currently the proposed backport for 6.0.x
 
 When originally proposed there was some concern that the v3 servlet spec may
 require some changes. This hasn't been the case. With that in mind could folks
 please review their comments and votes for this patch. I'd like to get it into
 6.0.19 if posible.
 
 If you still think there is room for improvement, I'm happy to take another 
 look
 at this. Some pointers as to how you think things could/should be improved 
 would
 be appreciated.
 
 If you do vote for this patch, please remember to indicate your preference for
 using or not using httpOnly for session cookies by default.
 
 Cheers,
 
 Mark
 
 [1] http://svn.apache.org/viewvc?view=revrevision=694992
 
 
 -
 To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: dev-h...@tomcat.apache.org
 




-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Support for httpOnly cookies in Tomcat 6.0.x

2009-02-13 Thread Mark Thomas

Folks,

The implementation of httpOnly support in Tomcat 7 fits well with the previous
httpOnly patch [1] that is currently the proposed backport for 6.0.x

When originally proposed there was some concern that the v3 servlet spec may
require some changes. This hasn't been the case. With that in mind could folks
please review their comments and votes for this patch. I'd like to get it into
6.0.19 if posible.

If you still think there is room for improvement, I'm happy to take another look
at this. Some pointers as to how you think things could/should be improved would
be appreciated.

If you do vote for this patch, please remember to indicate your preference for
using or not using httpOnly for session cookies by default.

Cheers,

Mark

[1] http://svn.apache.org/viewvc?view=revrevision=694992


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: Support for httpOnly cookies in Tomcat 6.0.x

Re: Support for httpOnly cookies in Tomcat 6.0.x

Support for httpOnly cookies in Tomcat 6.0.x

3 matches

Site Navigation

Mail list logo

Footer information