[jboss-dev-forums] [Design of Security on JBoss] - Adding the HttpOnly cookie flag to the core of JBoss
jmanico
do-not-reply at jboss.com
Sat Mar 22 16:02:46 EDT 2008
Hello - are there any development plans to add the HttpOnly cookie flag to the JBoss session handing cookie? When the HttpOnly flag is added to the session cookie, it prevents JavaScript from reading cookie data. This protects the session cookie from Cross Site Scripting Session Hijack attacks. The HttpOnly cookie flag, while not a standard, is a widely used practice and is supported in IE 6+, FF 2.0.0.5+, Opera 9.01+, Konqueror, and is under development at Safari/Webkit.
I've tried to get the cookie1 standard amended, but the best most teams come up with is the old netscape docs on cookie1 - cookie2 never took off.
Any help adding this easy but rather significant fix to JBoss would be greatly appreciated. I am also leading the charge getting HttpOnly added to Tomcat http://manicode.blogspot.com/2008/03/httponly-support-for-apache-tomcat.html
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4138440#4138440
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4138440
More information about the jboss-dev-forums
mailing list