DO NOT REPLY [Bug 49716] HttpOnly flag can't be turned off for JSESSIONID

bugzilla Fri, 06 Aug 2010 00:35:29 -0700

https://issues.apache.org/bugzilla/show_bug.cgi?id=49716


Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID
         OS/Version|                            |All

--- Comment #1 from Mark Thomas <ma...@apache.org> 2010-08-06 03:34:57 EDT ---
The useHttpOnly attirbute on the <Context .../> which defaults to true
deliberately takes precedence so a) administrators can override application
settings and b) session cookies are secure by default even if the application
tries to make them less secure.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

DO NOT REPLY [Bug 49716] HttpOnly flag can't be turned off for JSESSIONID

Reply via email to