https://issues.apache.org/bugzilla/show_bug.cgi?id=44382
--- Comment #9 from Jim Manico <[EMAIL PROTECTED]> 2008-07-24 18:47:23 PST --- Thank you for your support to see my HttpOnly session id patch get pushed into a future release of Tomcat. Several of the committers tell me that this patch will indeed go live in a future release - after the recent dramatic and dramatic changes to cookie encoding settles down. The patches I submitted are rather simple, this is not rocket science. (And it will indeed break very old/obscure browsers like IE 5.5 on Mac). My patch does not change anything by default - it requires a configuration change to make the JSESSIONID cookies HttpOnly. I prefer secure by default, but I think this is a fair compromise to encourage the powers-that-be to push this live, hopefully soon. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
