Musings on Software Engineering and Application Security from Jim Manico
Wednesday, February 25, 2009
Apache Tomcat HttpOnly Support Saga Continues
I see Mark Thomas from Apache still trying to get resolution on the whether to back-port the Apache Tomcat 7 HTTPOnly session-id attribution (per Java Servlet 3.0) into Tomcat 6 (a Servlet 2.5 container). The patch has been complete for well over 5 months and is still awaiting approval. What's more important here; standards or security?