Details

    • Type: Feature Request
    • Status: Closed
    • Priority: Minor
    • Resolution: Duplicate
    • Affects Version/s: None
    • Fix Version/s: None
    • Labels:
      None

      Description

      With the HttpOnly flag the developers can disable the access of selected cookies from JavaScript. This helps to prevent session theft through XSS problems.

      As Java API doesn't support currently the HttpOnly flag, we need to provide a workaround for setting the cookies through the Set-Cookie header.

      There are multiple RFCs which provide description for the Set-Cookie flag, the latest one is: http://www.rfc-editor.org/rfc/rfc6265.txt

      There are some changes in the cookie name allowed characters, so implementing this RFC might break the cookies which are using some special characters.

      But there were problems with the Java API cookie setting as well.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                brian.chan Brian Chan
                Reporter:
                zsolt.balogh Zsolt Balogh
              • Votes:
                6 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Packages

                  Version Package