Implementing support for HTTPOnly cookies (access allowed only for server and prohibited for client script) in Red Hat Network Satellite / Spacewalk services could block exploitation of some XSS flaws. References: [1] http://www.codinghorror.com/blog/2008/08/protecting-your-cookies-httponly.html [2] http://stackoverflow.com/questions/528405/which-browsers-do-support-httponly-cookies [3] https://www.owasp.org/index.php/HttpOnly [4] http://en.wikipedia.org/wiki/HTTP_cookie#HttpOnly_cookie [5] http://w2spconf.com/2010/papers/p25.pdf [6] http://stackoverflow.com/questions/33412/how-do-you-configure-httponly-cookies-in-tomcat-java-webapps
*** Bug 710620 has been marked as a duplicate of this bug. ***
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2011-1299.html
The issue has been addressed in Spacewalk master by commit a779c73eab6a65f38a03d8fb27b06cc1f71842fc 713477 - made session cookies httponly Fixed package: spacewalk-config-1.6.2-1