HttpOnly cookies in tomcat

For HttpOnly, refer to:

Protecting Your Cookies: HttpOnly
http://www.codinghorror.com/blog/2008/08/protecting-your-cookies-httponly.html

httpOnly is supported as of Tomcat 6.0.19 and Tomcat 5.5.28.

See the changelog entry for bug 44382.

The last comment for bug 44382 states, "this has been applied to 5.5.x and will be included in 5.5.28 onwards." However, it does not appear that 5.5.28 has been released.

The httpOnly functionality can be enabled for all webapps in conf/context.xml:

<Context useHttpOnly="true">
...
</Context>

My interpretation is that it also works for an individual context by setting it on the desired Context entry in conf/server.xml (in the same manner as above).

http://stackoverflow.com/questions/33412/how-do-you-configure-httponly-cookies-in-tomcat-java-webapps

你可能感兴趣的:(java,tomcat,Cookies,HttpOnly)