You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Secure should be set to prevent the cookie from being sent in the clean:
When a cookie has the Secure attribute, the user agent will include the cookie in an HTTP request only if the request is transmitted over a secure channel (typically HTTP over Transport Layer Security (TLS) [RFC2818]). https://tools.ietf.org/html/rfc6265#section-4.1.2.5
HttpOnly should be set to prevent Javascript attacks:
The HttpOnly attribute limits the scope of the cookie to HTTP requests. In particular, the attribute instructs the user agent to omit the cookie when providing access to cookies via "non-HTTP" APIs (such as a web browser API that exposes cookies to scripts). https://tools.ietf.org/html/rfc6265#section-4.1.2.6
The text was updated successfully, but these errors were encountered:
Are you running with edu.illinois.techservices.elmr.servlets.DisableSecureCookies set to true? If so, that could be the culprit. By default, not setting this will enable secure cookies.
Elmr does not set the
Secure
orHttpOnly
flags for the cookie it creates as can be seen here:Secure
should be set to prevent the cookie from being sent in the clean:HttpOnly
should be set to prevent Javascript attacks:The text was updated successfully, but these errors were encountered: