[SHIRO-601] deleted cookies don't set httpOnly flag. trigger warnings in PEN tools - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: 1.3.2
Fix Version/s: None
Component/s: Session Management
Labels:
None
Environment:
java 1.7.045

Description

When Shiro deletes a session cookie on logout it explicitly sets the httpOnly flag to false. This is triggering false positive warnings in PEN testing tools like OWASP.

To avoid this, Shiro should ALWAYS set the httpOnly flag for its session cookies whether they are being set to 'deleteMe' or not.

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Matt Baker

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 10/Nov/16 13:59

Updated:: 10/Nov/16 13:59