tapestry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Barry Books (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (TAP5-2327) The Cookies interface should provide an option to mark cookies as httpOnly
Date Mon, 07 Mar 2016 13:33:40 GMT

    [ https://issues.apache.org/jira/browse/TAP5-2327?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15182997#comment-15182997
] 

Barry Books commented on TAP5-2327:
-----------------------------------


I believe you have to switch to Java 7 to get the servlet 3.0 spec and Jetty 7 in Tapestry
test only supports 2.5. Currently setting the httpOnly flag is way more difficult than it
should be because the framework does not support it at all. I do it now by overriding the
service and always setting the httpOnly flag if I'm in production mode. The works OK if you
always want to set the flag.

I though about patching the service to log an error if the httponly flag is set but then the
logs get filled up and in the end I decided not supporting httponly is a documentation problem.
Either way would be fine with me but I think the application should be able to set the httpOnly
flag and have the service adapt to whatever the environment is.

I'm also assuming this will be in 5.5 anyway.


> The Cookies interface should provide an option to mark cookies as httpOnly
> --------------------------------------------------------------------------
>
>                 Key: TAP5-2327
>                 URL: https://issues.apache.org/jira/browse/TAP5-2327
>             Project: Tapestry 5
>          Issue Type: New Feature
>          Components: tapestry-core
>    Affects Versions: 5.3.7, 5.4
>            Reporter: Martin Schneider
>         Attachments: 0001-TAP-2327-add-httpOnly-method-to-support-Servlet-3.0.patch,
0002-TAP-2327-add-support-for-version-and-comment.patch
>
>
> Since Servlet 3.0 there is an option to mark cookies as httpOnly via javax.servlet.http.Cookie.setHttpOnly(boolean).
There should be an option to use that in org.apache.tapestry5.services.Cookies. In 5.3.7 the
default implementation does not set the httpOnly flag.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message