In Tomcat 5.* and 6.* this was not an issue, because by default Tomcat configuration did not add the
HttpOnly flag to the session cookie, thus JavaScript in webapp generated pages could access it.
Reference on this:
However the default value of the
useHttpOnly
context parameter was changed from
false
to
true
in
Tomcat 7.0.
Recent comments
1 year 44 weeks ago
3 years 13 weeks ago
3 years 13 weeks ago
3 years 15 weeks ago
3 years 16 weeks ago
3 years 23 weeks ago
3 years 23 weeks ago
3 years 23 weeks ago
3 years 23 weeks ago
3 years 23 weeks ago