Uploaded image for project: 'Magnolia'
  1. Magnolia
  2. MAGNOLIA-5819

Enable httpOnly for session cookies by default

XMLWordPrintable

    • Icon: Improvement Improvement
    • Resolution: Not an issue
    • Icon: Major Major
    • None
    • None
    • bundle
    • None
    • Yes

      By doing that we will prevent the access to the session cookies from javascript.
      Since JavaEE 6 and servlet 3.0 this is set in web.xml with 

      <session-config>
 <cookie-config>
  <http-only>true</http-only>
 </cookie-config>
</session-config>

      See https://www.owasp.org/index.php/HttpOnly#Using_Java_to_Set_HttpOnly

        Acceptance criteria

              Unassigned Unassigned
              fgrilli Federico Grilli
              Votes:
              1 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved:

                  Task DoD