Project

General

Profile

Actions

Bug #11158

closed

JSESSION cookie should be "httpOnly"

Added by François ARMAND almost 7 years ago. Updated 12 months ago.

Status:
Rejected
Priority:
N/A
Assignee:
-
Category:
Security
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
Fix check:
Regression:

Description

It is a good practice to do so.

Just add the following "jetty-web.xml" file in WEB-INF directory:

<?xml version="1.0"  encoding="ISO-8859-1"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure.dtd">

<Configure class="org.eclipse.jetty.webapp.WebAppContext">
    <Get name="sessionHandler">
        <Get name="sessionManager">
            <Set name="httpOnly" type="boolean">true</Set>
        </Get>
    </Get>
</Configure>

Related issues 1 (0 open1 closed)

Related to Rudder - Bug #11159: JSESSION cookie should be "secure"ReleasedBenoît PECCATTEActions
Actions #1

Updated by François ARMAND almost 7 years ago

  • Copied to Bug #11159: JSESSION cookie should be "secure" added
Actions #2

Updated by François ARMAND almost 7 years ago

  • Status changed from New to Rejected

I'm closing this one as the chosen solution is managed by apache and corrected in #11159

Actions #3

Updated by François ARMAND almost 7 years ago

  • Copied to deleted (Bug #11159: JSESSION cookie should be "secure")
Actions #4

Updated by François ARMAND almost 7 years ago

  • Related to Bug #11159: JSESSION cookie should be "secure" added
Actions #5

Updated by Alexis Mousset 12 months ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF