A security audit of my site indicated a "Missing HttpOnly attribute in Session Cookie" problem. If this is a security problem, then why does the useHttpOnly attribute in Context default to false? I'm not specifically setting any cookies...
http://tomcat.apache.org/tomcat-6.0-doc/config/context.html Using CATALINA_BASE: "C:\apache-tomcat-6.0.29" Using CATALINA_HOME: "C:\apache-tomcat-6.0.29" Using CATALINA_TMPDIR: "C:\apache-tomcat-6.0.29\temp" Using JRE_HOME: "C:\Program Files\Java\jdk1.6.0_20" Using CLASSPATH: "C:\apache-tomcat-6.0.29\bin\bootstrap.jar" Server version: Apache Tomcat/6.0.29 Server built: July 19 2010 1458 Server number: 6.0.0.29 OS Name: Windows 2003 OS Version: 5.2 Architecture: x86 JVM Version: 1.6.0_20-b02 JVM Vendor: Sun Microsystems Inc Leo
