-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Konstantin,
On 6/18/14, 5:34 AM, Konstantin Kolinko wrote: > 2014-06-18 11:57 GMT+04:00 Konstantin Kolinko > <knst.koli...@gmail.com>: >>> >>> HTTP/1.1 302 Found Set-Cookie: >>> JSESSIONIDSSO=CF7B7727443A3AAD1AC3AA033E4D98BE; Expires=Thu, >>> 01-Jan-1970 00:00:10 GMT Pragma: No-cache Cache-Control: >>> no-cache Expires: Thu, 01 Jan 1970 00:00:00 UTC Set-Cookie: >>> JSESSIONID=235F4293591E5C72859317ED3294C5A5; Path=/admin; >>> Secure; HttpOnly Location: https://X.Y.A.B/admin/login.jsp >>> Content-Length: 0 Date: Tue, 17 Jun 2014 16:21:17 GMT Server: >>> XYZ >>> >> >> With that value of "Expires" the cookie is actually being >> cleared, not set. >> > > The 'Secure' flag says that the browser should never send the > cookie to the server over a non-secure connection. > > When the cookie is being cleared, the "Secure" flag is irrelevant, > as the cookie will not be sent back by the browser. +1 > The "HttpOnly" flag says that the cookie should not be accessible > from Javascript code running in the browser. If the cookie is being > deleted, is there a way to access it from Javascript? I think that > there is no such way. +1 I think this is a spurious error being flagged by the security scanner. Adding "HttpOnly" and "Secure" flags to the "expire" Set-Cookie header is just a waste of bytes because they have no effect whatsoever on what the client does with the cookie (it always deleted it, unless the system clock is set horribly wrong). - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJToaDcAAoJEBzwKT+lPKRYY98P/jGnvGM3nFZBN3pttDIqiV6K vKsxu1aUctQFECY0Sj4ZD4jG2C7Ydx2qx4MdEKUEzcVaP1kMdgWJIX75KvF0Dn+I /YbgMszpGzSRJ3pGZlVZi28I64hCxnw7K/Lt2+K6YXc4btOhdf4C4Et3xv6ykrXh C3MD97yRLeldeSVh78mCg4sYP5z6Ps1+Wwg6b11NN7f2qw5+KROfBLJY0575+cas po7+I7kn261XL+3JCjO1qdCOEO+32/9yjMZDf6qD1dJkmAgxtY/uVPapyrLp8pQJ M4ujXtiIjT+oTAEjtfMoWx37zNrXmM0WBj/5KIv9sZNE/hAxJ2HwpoH3qOC6M9NB WvzpS0lvS76vqgkleO7cW5sGuqpe0Q5tOqN8SlvJ9pEnKfPJFbnW7NT94zF5TUnh cZb2TZaB+rzqmHG178XMqv8fMQpuWlSc4bHtv+jNa79GTkSvS4ggLuw11/a8Ybic ggt4ztVwqafek8uxI9Al4wB8t78nHE4pFNwQBlWe7xTXF9KhfqKYUFyncd2UEiW6 t8bb1I7/ZHdEGHi6hCPpwA5/HM4s6egZgyXbP4dVIxWjXbIfMOcExUV/El48IZ3S Zj+ztxMQ6abJ/5YfjquDjDUoImSW+GnB0F52U9iJI5BUIKheHiBL/DTCB1Ihs/3M ahfaNFJlZ+ZALbSq+x5a =A2Gk -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org