This repository has been archived by the owner on Jul 27, 2022. It is now read-only.
Use HttpOnly flag for session cookie #79
Comments
|
How can we do that? Its up to jetty |
|
You can do it in the web.xml <session-config>
<session-timeout>60</session-timeout>
<cookie-config>
<http-only>true</http-only>
</cookie-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config> |
|
PR: #80 |
tandraschko
added a commit
that referenced
this issue
May 9, 2018
closes #79 - use HttpOnly session cookie
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Session cookies should be HttpOnly, see https://www.owasp.org/index.php/HttpOnly.
Otherwise, XSS vulnerabilities can lead to session hijacking, see primefaces/primefaces#3623 for example.
Just imagine, store.primefaces.org wasn't isolated from showcase and you previously were logged in as superuser...
The text was updated successfully, but these errors were encountered: