I see Mark Thomas from Apache still trying to get resolution on the whether to back-port the Apache Tomcat 7 HTTPOnly session-id attribution (per Java Servlet 3.0) into Tomcat 6 (a Servlet 2.5 container). The patch has been complete for well over 5 months and is still awaiting approval. What's more important here; standards or security?
For more info:
Update: HTTPOnly is now supported in at least some versions of Tomcat!
http://manicode.blogspot.com/2009/03/httponly-supported-in-tomcat-6019.html
No comments:
Post a Comment