Wednesday, February 25, 2009

Apache Tomcat HttpOnly Support Saga Continues

I see Mark Thomas from Apache still trying to get resolution on the whether to back-port the Apache Tomcat 7 HTTPOnly session-id attribution (per Java Servlet 3.0) into Tomcat 6 (a Servlet 2.5 container). The patch has been complete for well over 5 months and is still awaiting approval. What's more important here; standards or security?

For more info:
Update: HTTPOnly is now supported in at least some versions of Tomcat! http://manicode.blogspot.com/2009/03/httponly-supported-in-tomcat-6019.html

No comments: