Uploaded image for project: 'Magnolia'
  1. Magnolia
  2. MAGNOLIA-5819

Enable httpOnly for session cookies by default

    XMLWordPrintable

Details

    • Improvement
    • Resolution: Not an issue
    • Major
    • None
    • None
    • bundle
    • None
    • Yes

    Description

      By doing that we will prevent the access to the session cookies from javascript.
      Since JavaEE 6 and servlet 3.0 this is set in web.xml with

      <session-config>
       <cookie-config>
        <http-only>true</http-only>
       </cookie-config>
      </session-config>
      

      See https://www.owasp.org/index.php/HttpOnly#Using_Java_to_Set_HttpOnly

      Checklists

        Acceptance criteria

        Attachments

          Activity

            People

              Unassigned Unassigned
              fgrilli Federico Grilli
              Votes:
              1 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Checklists

                  Task DoD