[MAGNOLIA-5819] Enable httpOnly for session cookies by default Created: 24/Jun/14  Updated: 04/Mar/19  Resolved: 02/Jan/17

Status: Closed
Project: Magnolia
Component/s: bundle
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Major
Reporter: Federico Grilli Assignee: Unassigned
Resolution: Not an issue Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Cloners
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Release notes required:
Yes

 Description   

By doing that we will prevent the access to the session cookies from javascript.
Since JavaEE 6 and servlet 3.0 this is set in web.xml with

<session-config>
 <cookie-config>
  <http-only>true</http-only>
 </cookie-config>
</session-config>

See https://www.owasp.org/index.php/HttpOnly#Using_Java_to_Set_HttpOnly


Generated at Mon Feb 12 04:08:41 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.