play framework

Cannot set the httpOnly property on cookies

Bug #640293 reported by paul.lemon on 2010-09-16

260

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	play framework	Fix Committed	Medium	Nicolas Leroux	play framework 1.1

Bug Description

We need to be able to set the httpOnly property on cookies created. C
This is a security requirement for our web application
http://www.owasp.org/index.php/HttpOnly explains this requirement.

The play cookie object (play.mvc.Http.Cookie) does not have any
property for httpOnly and also looking at the code in
play.mvc.HttpHandler there isnt any code related to the httpOnly
property.

Play framework should expose a boolean propery on play.mvc.Http.Cookie to allow this to be site.

I believe httpOnly should be set by default as this is a common secruity issue for all web sites.

paul.lemon (paul-lemon) on 2010-09-16

visibility:

private → public

Nicolas Leroux (nicolas-lunatech) on 2010-09-16

Changed in play:
assignee:	nobody → Nicolas Leroux (nicolas-lunatech)
milestone:	none → 1.1
status:	New → Confirmed
importance:	Undecided → Medium

Nicolas Leroux (nicolas-lunatech) on 2010-09-16

Changed in play:
status:	Confirmed → Fix Committed

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.