voyent
Setting the "HttpOnly" flag  XML
Forum Index -> General Help
Author Message
alistair

Joined: 02/Jul/2007 00:00:00
Messages: 40
Offline


Hi,

We've been advised that, if possible, we should set the "HttpOnly" flag in our HTTP response headers.

Is this possible with ICEfaces? If so, how?

We're using ICEfaces 1.7.2.

Thanks for any help,


Alistair.
oscarvegar

Joined: 19/Jan/2009 00:00:00
Messages: 1
Offline


Any solution?
deepakpn

Joined: 04/Jun/2009 00:00:00
Messages: 10
Offline


Any solution?
deepakpn

Joined: 04/Jun/2009 00:00:00
Messages: 10
Offline


I tried setting the session-config in web.xml to be:
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>

This does not help in setting the desired httpOnly and secure flags for icefaces generated cookies such as
ice.push.browser
ice.connection.contextpath
ice.connection.lease
ice.pushids

Any method to set the flags on these cookies? If there is none, icefaces should probably provide a way to do this.
deepakpn

Joined: 04/Jun/2009 00:00:00
Messages: 10
Offline


for ice.push.browser cookie, it can easily be fixed by setting the Secure and HttpOnly flags in icepush/core/src/main/java/org/icepush/PushContext.java (around line 83). Could someone patch it up please?
ted.goddard

Joined: 26/Oct/2004 00:00:00
Messages: 874
Offline


The values of these cookies are read by ICEfaces and ICEpush JavaScript, so they will not function correctly with the HttpOnly setting; in fact, they are primarily used to communicate between browser windows when local storage is not available.

[Email]
 
Forum Index -> General Help
Go to:   
Powered by JForum 2.1.7ice © JForum Team