[TRUNK-5009] Set HttpOnly for JSESSIONID cookie - OpenMRS Issues

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Should
Resolution: Fixed
Affects Version/s: None
Fix Version/s: Platform 2.0.5, Core 2.1.0
Component/s: None
Labels:
None

Complexity:
Low
Development:

4 builds successfulDeployed to Sourceforge Mirror

Description

When you tag a cookie with the HttpOnly flag, it tells the browser that this particular cookie should only be accessed by the server. Any attempt to access the cookie from client script is strictly forbidden.

Since we do not currently have any requirement to manipulate the jsessionid cookie from client side scripts, setting this flag will make openmrs more secure.

For more details, see https://www.owasp.org/index.php/HttpOnly

Gliffy Diagrams

Attachments

Activity

People

Assignee:: Daniel Kayiwa

Reporter:: Daniel Kayiwa

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2017-01-10 06:46:12 GMT

Updated:: 2017-04-19 07:27:04 GMT

Resolved:: 2017-01-25 06:24:07 GMT