Session's cookie expiration and HttpOnly
Bug #324779 reported by
gimenete
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
play framework |
Fix Committed
|
Undecided
|
Nicolas Leroux |
Bug Description
There is no way to change the expiration date of the session's cookie. It will be also useful to be able to set the cookie as HttpOnly to minimize any possible xss attack.
The default expiration time could be set as a parameter in the configuration file. However I would like to implement the typical funciontality of "remind me in this computer". That is a checkbox that in case of being selected the expiration date is longer that in case of not being selected. It is, the expiration date could be changed programatically.
Changed in play: | |
status: | New → Fix Committed |
Changed in play: | |
status: | Fix Committed → Confirmed |
Changed in play: | |
assignee: | nobody → Nicolas Leroux (nicolas-lunatech) |
milestone: | none → 1.1 |
Changed in play: | |
status: | Confirmed → Fix Committed |
To post a comment you must log in.
The expiration date of the session cookie is now configurable throught the application. sessionMaxAge configuration property :
application. sessionMaxAge= 20mn
For the HttpOnly cookie we have to wait that AsyncWeb support it ...