Uploaded image for project: 'Documentation'
  1. Documentation
  2. DOCU-2922

Security best practices - No information on how to configure Cookie HttpOnly and Secure flags

    XMLWordPrintable

Details

    • Improvement
    • Resolution: Done
    • Neutral
    • None
    • None
    • None
    • None

    Description

      Our Security best practices document contains the following guidance

      Enforce HTTPS for JSESSIONID cookies by setting secure to true in web.xml. Consider also enabling the httpOnly setting. Make sure you understand the impact of those settings on local development without a certificate.

      It does not however state how the Cookie HttpOnly and Secure flags can be configured in Magnolia.

      This can cause ambiguity such as the case where a partner has stated that it is the responsibility of Magnolia to define these settings in Magnolia Bundle's Tomcat web.xml when it is in fact possible to define the configuration values in the Maven project.

      Checklists

        Acceptance criteria

        Attachments

          Activity

            People

              abrooks Adrian Brooks
              rtran Raymond Tran
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: