In Tomcat 5.* and 6.* this was not an issue, because by default Tomcat configuration did not add the
HttpOnly flag to the session cookie, thus JavaScript in webapp generated pages could access it.
Reference on this:
However the default value of the
useHttpOnly
context parameter was changed from
false
to
true
in
Tomcat 7.0.
Recent comments
2 years 11 weeks ago
3 years 33 weeks ago
3 years 33 weeks ago
3 years 35 weeks ago
3 years 36 weeks ago
3 years 43 weeks ago
3 years 43 weeks ago
3 years 43 weeks ago
3 years 43 weeks ago
3 years 43 weeks ago