In Tomcat 5.* and 6.* this was not an issue, because by default Tomcat configuration did not add the
HttpOnly flag to the session cookie, thus JavaScript in webapp generated pages could access it.
Reference on this:
However the default value of the
useHttpOnly
context parameter was changed from
false
to
true
in
Tomcat 7.0.
Recent comments
1 year 46 weeks ago
3 years 15 weeks ago
3 years 15 weeks ago
3 years 17 weeks ago
3 years 18 weeks ago
3 years 25 weeks ago
3 years 25 weeks ago
3 years 25 weeks ago
3 years 25 weeks ago
3 years 25 weeks ago