Bug #11158: JSESSION cookie should be "httpOnly" - Rudder - Issue Tracker

Actions

Copy link

Bug #11158

closed

JSESSION cookie should be "httpOnly"

Added by François ARMAND over 7 years ago. Updated over 1 year ago.

Status:

Rejected

Priority:

N/A

Assignee:

Category:

Security

Target version:

3.1.22

Pull Request:

Severity:

UX impact:

User visibility:

Effort required:

Priority:

Name check:

Fix check:

Regression:

Description

It is a good practice to do so.

Just add the following "jetty-web.xml" file in WEB-INF directory:

<?xml version="1.0"  encoding="ISO-8859-1"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure.dtd">

<Configure class="org.eclipse.jetty.webapp.WebAppContext">
    <Get name="sessionHandler">
        <Get name="sessionManager">
            <Set name="httpOnly" type="boolean">true</Set>
        </Get>
    </Get>
</Configure>

Related issues 1 (0 open — 1 closed)

History
Notes
Property changes

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Rudder

Custom queries

Bug #11158

JSESSION cookie should be "httpOnly"

Updated by François ARMAND over 7 years ago

Updated by François ARMAND over 7 years ago

Updated by François ARMAND over 7 years ago

Updated by François ARMAND over 7 years ago

Updated by Alexis Mousset over 1 year ago