Uploaded image for project: 'Shiro'
  1. Shiro
  2. SHIRO-601

deleted cookies don't set httpOnly flag. trigger warnings in PEN tools

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 1.3.2
    • Fix Version/s: None
    • Component/s: Session Management
    • Labels:
      None
    • Environment:
      java 1.7.045

      Description

      When Shiro deletes a session cookie on logout it explicitly sets the httpOnly flag to false. This is triggering false positive warnings in PEN testing tools like OWASP.

      To avoid this, Shiro should ALWAYS set the httpOnly flag for its session cookies whether they are being set to 'deleteMe' or not.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              mbaker@progress.com Matt Baker
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: