[jboss-dev-forums] [TODO - DEVELOPMENT] - HttpOnly cookie flag
jmanico
do-not-reply at jboss.com
Sat Mar 22 15:54:04 EDT 2008
Hello. Are there any plans to support the HttpOnly cookie flag in the session cookie (JSESSIONID) of JBoss? Tomcat is on route to support this security flag.
As a side note, the HttpOnly cookie flag blocks JavaScript from accessing cookie data. It is supported by IE6+ FireFox 2.0.0.5+ Opera 9.5+ and is still be developed on Safari. It's not a standard per-say but is very widely used in practice. The Java Server JSR is also considering this flag. The security benefits are very significant. There is never, ever a need to access the JSESSIONID cookie via JavaScript. But adding HttpOnly support to JBoss a large class of Cross Site Scripting and Session Hijacking attacked will be prevented.
Thank you!!
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4138439#4138439
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4138439
More information about the jboss-dev-forums
mailing list