On 08/03/17 12:53, Pritchett, Mark S. (CONT) wrote: > Hi All > > My first posting. > > Server version: Apache Tomcat/7.0.67 > JVM Version: 1.7.0_131-mockbuild_2017_02_07_02_15-b00 > > A vulnerability scan has shown that tomcat doesn't apply httpOnly to come > cookies. > I need to determine if this can be 'corrected'.
<snip/> > My understanding is that httpOnly is the default with this version of tomcat: > https://tomcat.apache.org/tomcat-7.0-doc/config/context.html > Even so, I have set useHttpOnly in $CATALINA_BASE/conf/context.xml, but the > issue is still reported by a scan. > > Any ideas please? Read the docs more carefully. useHttpOnly applies to session cookies. Any cookie the application creates, the application has to set the httpOnly attribute appropriately. You have an application problem, not a Tomcat problem. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
