30 Jun
2011
30 Jun
'11
10:39 a.m.
On Jun 30, 2011 8:25 AM, "Chris Smith"
The kinds of cookies generated by clientsession are not really vulnerable to cookie-stealing attacks anywa due to the encryption that goes on [...]
On further thought, I'm wrong about this... but the conclusion is the same; those cookies definitely ought to be setting the http-only flag.