Uploaded image for project: 'OpenMRS Core'
  1. OpenMRS Core
  2. TRUNK-5009

Set HttpOnly for JSESSIONID cookie

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Should
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: Platform 2.0.5, Core 2.1.0
    • Component/s: None
    • Labels:
      None
    • Complexity:
      Low

      Description

      When you tag a cookie with the HttpOnly flag, it tells the browser that this particular cookie should only be accessed by the server. Any attempt to access the cookie from client script is strictly forbidden.

      Since we do not currently have any requirement to manipulate the jsessionid cookie from client side scripts, setting this flag will make openmrs more secure.

      For more details, see https://www.owasp.org/index.php/HttpOnly

        Attachments

          Activity

            People

            Assignee:
            dkayiwa Daniel Kayiwa
            Reporter:
            dkayiwa Daniel Kayiwa
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: