Project

General

Profile

Actions
Copy link

Bug #11158

closed

JSESSION cookie should be "httpOnly"

Bug #11158: JSESSION cookie should be "httpOnly"

Added by François ARMAND over 8 years ago. Updated over 2 years ago.

Status:
Rejected
Priority:
N/A
Assignee:
-
Category:
Security
Target version:
3.1.22
Pull Request:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
Fix check:
Regression:

Description

It is a good practice to do so.

Just add the following "jetty-web.xml" file in WEB-INF directory:

<?xml version="1.0"  encoding="ISO-8859-1"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure.dtd">

<Configure class="org.eclipse.jetty.webapp.WebAppContext">
    <Get name="sessionHandler">
        <Get name="sessionManager">
            <Set name="httpOnly" type="boolean">true</Set>
        </Get>
    </Get>
</Configure>

Related issues 1 (0 open1 closed)

Related to Rudder - Bug #11159: JSESSION cookie should be "secure"ReleasedBenoît PECCATTEActions
Actions
Copy link

Also available in: PDF Atom