Details

      Description

      With the HttpOnly flag the developers can disable the access of selected cookies from JavaScript. This helps to prevent session theft through XSS problems.

      As Java API doesn't support currently the HttpOnly flag, we need to provide a workaround for setting the cookies through the Set-Cookie header.

      There are multiple RFCs which provide description for the Set-Cookie flag, the latest one is: http://www.rfc-editor.org/rfc/rfc6265.txt

      There are some changes in the cookie name allowed characters, so implementing this RFC might break the cookies which are using some special characters.

      But there were problems with the Java API cookie setting as well.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Days since last comment:
                  4 years, 16 weeks, 5 days ago

                  Packages

                  Version Package
                  6.1.X EE
                  6.2.0 CE B3