-
Improvement
-
Resolution: Not an issue
-
Major
-
None
-
None
-
None
-
-
Empty show more show less
-
Yes
By doing that we will prevent the access to the session cookies from javascript.
Since JavaEE 6 and servlet 3.0 this is set in web.xml with
<session-config>
<cookie-config>
<http-only>true</http-only>
</cookie-config>
</session-config>
See https://www.owasp.org/index.php/HttpOnly#Using_Java_to_Set_HttpOnly
Acceptance criteria