https://bz.apache.org/bugzilla/show_bug.cgi?id=69478
Bug ID: 69478
Summary: Cookie setSecure and setHttpOnly ignore argument
Product: Tomcat 11
Version: 11.0.1
Hardware: PC
OS: Linux
Status: NEW
Severity: regression
Priority: P2
Component: Servlet
Assignee: dev@tomcat.apache.org
Reporter: tho...@tkr.sh
Target Milestone: -------
Both methods on Cookie [1] `setSecure(bool)` and `setHttpOnly(bool)` ignore the
argument given to them. This effectively means calling `setHttpOnly(false)` on
a cookie actually enables the HttpOnly flag for the cookie instead of disabling
it, breaking the browser's access to the cookie value.
This was changed in a commit [2] for tomcat 11, intending to change the data
internals of the cookie. However, I don't assume this breaking change was
intended because the doc stayed the same and still suggests the proper
behavior.
[1]:
https://github.com/apache/tomcat/blob/main/java/jakarta/servlet/http/Cookie.java
[2]:
https://github.com/apache/tomcat/commit/4ca2a66d6203ce7843fbaa9fd47be82cba477781
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
