Always make server-created cookies HttpOnly #272

BalusC opened this Issue Jun 21, 2016 · 2 comments


None yet

2 participants

BalusC commented Jun 21, 2016 edited


It's considered bad practice when server-created cookies are modifiable in JavaScript. Instead, such cookies must be created by JavaScript itself.

Ideally, all server-created cookies must be HttpOnly, without exceptions. Currently, Faces, FacesLocal and Servlets utility classes doesn't take into account this.

@BalusC BalusC changed the title from Always make cookies HttpOnly to Always make server-created cookies HttpOnly Jun 21, 2016

Updated #232 per recommendations in the PR comments.

BalusC commented Jun 22, 2016 edited

As this is a potentially breaking change, I will implement it once 2.4 has been released and branch is ready for 2.5.

@BalusC BalusC closed this in a4234ef Jul 2, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment