In Tomcat 5.* and 6.* this was not an issue, because by default Tomcat configuration did not add the
HttpOnly flag to the session cookie, thus JavaScript in webapp generated pages could access it.
Reference on this:
However the default value of the
useHttpOnly
context parameter was changed from
false
to
true
in
Tomcat 7.0.
Recent comments
1 year 42 weeks ago
3 years 11 weeks ago
3 years 11 weeks ago
3 years 13 weeks ago
3 years 14 weeks ago
3 years 21 weeks ago
3 years 21 weeks ago
3 years 21 weeks ago
3 years 21 weeks ago
3 years 21 weeks ago