Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
None
-
None
-
Reviewed
Description
In HTTPServer2.java for the default context the secure attributes are set.
SessionManager sm = webAppContext.getSessionHandler().getSessionManager(); if (sm instanceof AbstractSessionManager) { AbstractSessionManager asm = (AbstractSessionManager)sm; asm.setHttpOnly(true); asm.setSecureCookies(true); }
But when the contexts are created for /logs and /static, new contexts are created and the session handler is assigned as null.
Here also the secure attributes needs to be set.
Is it not done intentionally ? please give your thought
Background
trying to add login action for HTTP pages. After this when security test tool is used, it reports error for these 2 urls (/logs and /static).