Uploaded image for project: 'OpenMRS Core'
  1. OpenMRS Core
  2. TRUNK-5009

Set HttpOnly for JSESSIONID cookie

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Should
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: Platform 2.0.5, Core 2.1.0
    • Component/s: None
    • Labels:
      None
    • Complexity:
      Low

      Description

      When you tag a cookie with the HttpOnly flag, it tells the browser that this particular cookie should only be accessed by the server. Any attempt to access the cookie from client script is strictly forbidden.

      Since we do not currently have any requirement to manipulate the jsessionid cookie from client side scripts, setting this flag will make openmrs more secure.

      For more details, see https://www.owasp.org/index.php/HttpOnly

        Gliffy Diagrams

          Attachments

            Attachments-Category-Modification

              Activity

                People

                • Assignee:
                  dkayiwa Daniel Kayiwa
                  Reporter:
                  dkayiwa Daniel Kayiwa
                  Watchers:
                  Daniel Kayiwa
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  1 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: