[jboss-dev-forums] [Design of Security on JBoss] - Adding the HttpOnly cookie flag to the core of JBoss

Saturday, 22 March 2008

Hello - are there any development plans to add the HttpOnly cookie flag to the JBoss
session handing cookie? When the HttpOnly flag is added to the session cookie, it prevents
JavaScript from reading cookie data. This protects the session cookie from Cross Site
Scripting Session Hijack attacks. The HttpOnly cookie flag, while not a standard, is a
widely used practice and is supported in IE 6+, FF 2.0.0.5+, Opera 9.01+, Konqueror, and
is under development at Safari/Webkit. 

I've tried to get the cookie1 standard amended, but the best most teams come up with
is the old netscape docs on cookie1 - cookie2 never took off.

Any help adding this easy but rather significant fix to JBoss would be greatly
appreciated. I am also leading the charge getting HttpOnly added to Tomcat
http://manicode.blogspot.com/2008/03/httponly-support-for-apache-tomcat.html

View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4138440#...

Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

[jboss-dev-forums] [Design of Security on JBoss] - Adding the HttpOnly cookie flag to the core of JBoss