Return-Path: 
 <commits-return-31436-apmail-ofbiz-commits-archive=ofbiz.apache.org@ofbiz.apache.org>
X-Original-To: apmail-ofbiz-commits-archive@www.apache.org
Delivered-To: apmail-ofbiz-commits-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 2F82318228
	for <apmail-ofbiz-commits-archive@www.apache.org>;
 Sun, 13 Dec 2015 05:07:52 +0000 (UTC)
Received: (qmail 22832 invoked by uid 500); 13 Dec 2015 05:07:52 -0000
Delivered-To: apmail-ofbiz-commits-archive@ofbiz.apache.org
Received: (qmail 22790 invoked by uid 500); 13 Dec 2015 05:07:51 -0000
Mailing-List: contact commits-help@ofbiz.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:commits-help@ofbiz.apache.org>
List-Unsubscribe: <mailto:commits-unsubscribe@ofbiz.apache.org>
List-Post: <mailto:commits@ofbiz.apache.org>
List-Id: <commits.ofbiz.apache.org>
Reply-To: dev@ofbiz.apache.org
Delivered-To: mailing list commits@ofbiz.apache.org
Received: (qmail 22781 invoked by uid 99); 13 Dec 2015 05:07:51 -0000
Received: from Unknown (HELO spamd1-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 13 Dec 2015 05:07:51 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org)
 with ESMTP id 68BE6C02F8
	for <commits@ofbiz.apache.org>; Sun, 13 Dec 2015 05:07:51 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: 1.79
X-Spam-Level: *
X-Spam-Status: No, score=1.79 tagged_above=-999 required=6.31
	tests=[KAM_ASCII_DIVIDERS=0.8, KAM_LAZY_DOMAIN_SECURITY=1,
	T_RP_MATCHES_RCVD=-0.01] autolearn=disabled
Received: from mx1-eu-west.apache.org ([10.40.0.8])
	by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new,
 port 10024)
	with ESMTP id w4euRMYnw8KA for <commits@ofbiz.apache.org>;
	Sun, 13 Dec 2015 05:07:49 +0000 (UTC)
Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org
 [209.188.14.139])
	by mx1-eu-west.apache.org (ASF Mail Server at mx1-eu-west.apache.org) with
 ESMTP id 0AF2C20F4F
	for <commits@ofbiz.apache.org>; Sun, 13 Dec 2015 05:07:49 +0000 (UTC)
Received: from svn01-us-west.apache.org (svn.apache.org [10.41.0.6])
	by mailrelay1-us-west.apache.org (ASF Mail Server at
 mailrelay1-us-west.apache.org) with ESMTP id 00522E0177
	for <commits@ofbiz.apache.org>; Sun, 13 Dec 2015 05:07:47 +0000 (UTC)
Received: from svn01-us-west.apache.org (localhost [127.0.0.1])
	by svn01-us-west.apache.org (ASF Mail Server at svn01-us-west.apache.org)
 with ESMTP id 9A0B83A0176
	for <commits@ofbiz.apache.org>; Sun, 13 Dec 2015 05:07:47 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r1719762 - in /ofbiz/trunk:
 applications/marketing/src/org/ofbiz/marketing/tracking/
 applications/order/src/org/ofbiz/order/shoppinglist/
 applications/securityext/src/org/ofbiz/securityext/login/
 framework/webapp/src/org/ofbiz/webapp/contro...
Date: Sun, 13 Dec 2015 05:07:47 -0000
To: commits@ofbiz.apache.org
From: jleroux@apache.org
X-Mailer: svnmailer-1.0.9
Message-Id: <20151213050747.9A0B83A0176@svn01-us-west.apache.org>

Author: jleroux
Date: Sun Dec 13 05:07:47 2015
New Revision: 1719762

URL: http://svn.apache.org/viewvc?rev=1719762&view=rev
Log:
4th step for "Secure HTTP headers" https://issues.apache.org/jira/browse/OFBIZ-6766

The secure flag on cookies instructs the browser to only submit the cookie as part of requests over secure (HTTPS) connections. This prevents the cookie from being observed as plain text in transit over the network.
The HttpOnly flag instructs the browser that this cookie can only be accessed when sending an HTTP request. This prevents scripts running as part of a page from retrieving the value and is a defense against XSS attacks.

Modified:
    ofbiz/trunk/applications/marketing/src/org/ofbiz/marketing/tracking/TrackingCodeEvents.java
    ofbiz/trunk/applications/order/src/org/ofbiz/order/shoppinglist/ShoppingListEvents.java
    ofbiz/trunk/applications/securityext/src/org/ofbiz/securityext/login/LoginEvents.java
    ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java
    ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java
    ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/stats/VisitHandler.java

Modified: ofbiz/trunk/applications/marketing/src/org/ofbiz/marketing/tracking/TrackingCodeEvents.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/marketing/src/org/ofbiz/marketing/tracking/TrackingCodeEvents.java?rev=1719762&r1=1719761&r2=1719762&view=diff
==============================================================================
--- ofbiz/trunk/applications/marketing/src/org/ofbiz/marketing/tracking/TrackingCodeEvents.java (original)
+++ ofbiz/trunk/applications/marketing/src/org/ofbiz/marketing/tracking/TrackingCodeEvents.java Sun Dec 13 05:07:47 2015
@@ -31,14 +31,14 @@ import org.ofbiz.base.util.Debug;
 import org.ofbiz.base.util.UtilDateTime;
 import org.ofbiz.base.util.UtilMisc;
 import org.ofbiz.base.util.UtilValidate;
-import org.ofbiz.webapp.stats.VisitHandler;
-import org.ofbiz.webapp.website.WebSiteWorker;
 import org.ofbiz.entity.Delegator;
 import org.ofbiz.entity.GenericEntityException;
 import org.ofbiz.entity.GenericValue;
 import org.ofbiz.entity.util.EntityQuery;
 import org.ofbiz.entity.util.EntityUtilProperties;
 import org.ofbiz.product.category.CategoryWorker;
+import org.ofbiz.webapp.stats.VisitHandler;
+import org.ofbiz.webapp.website.WebSiteWorker;
 
 /**
  * Events used for maintaining TrackingCode related information
@@ -228,6 +228,8 @@ public class TrackingCodeEvents {
             if (trackableLifetime.longValue() > 0) trackableCookie.setMaxAge(trackableLifetime.intValue());
             trackableCookie.setPath("/");
             if (cookieDomain.length() > 0) trackableCookie.setDomain(cookieDomain);
+            trackableCookie.setSecure(true);
+            trackableCookie.setHttpOnly(true);
             response.addCookie(trackableCookie);
         }
 
@@ -238,6 +240,8 @@ public class TrackingCodeEvents {
             if (billableLifetime.longValue() > 0) billableCookie.setMaxAge(billableLifetime.intValue());
             billableCookie.setPath("/");
             if (cookieDomain.length() > 0) billableCookie.setDomain(cookieDomain);
+            billableCookie.setSecure(true);
+            billableCookie.setHttpOnly(true);
             response.addCookie(billableCookie);
         }
 
@@ -264,13 +268,17 @@ public class TrackingCodeEvents {
                 siteIdCookie.setMaxAge(siteIdCookieAge);
                 siteIdCookie.setPath("/");
                 if (cookieDomain.length() > 0) siteIdCookie.setDomain(cookieDomain);
-                    response.addCookie(siteIdCookie);
+                siteIdCookie.setSecure(true);
+                siteIdCookie.setHttpOnly(true);
+                response.addCookie(siteIdCookie);
                 // if trackingCode.siteId is  not null  write a trackable cookie with name in the form: Ofbiz.TKCSiteId and timeout will be 60 * 60 * 24 * 365
                 Cookie updatedTimeStampCookie = new Cookie("Ofbiz.TKCD.UpdatedTimeStamp" ,UtilDateTime.nowTimestamp().toString());
                 updatedTimeStampCookie.setMaxAge(siteIdCookieAge);
                 updatedTimeStampCookie.setPath("/");
                 if (cookieDomain.length() > 0) updatedTimeStampCookie.setDomain(cookieDomain);
-                    response.addCookie(updatedTimeStampCookie);
+                updatedTimeStampCookie.setSecure(true);
+                updatedTimeStampCookie.setHttpOnly(true);
+                response.addCookie(updatedTimeStampCookie);
             }
         }
 

Modified: ofbiz/trunk/applications/order/src/org/ofbiz/order/shoppinglist/ShoppingListEvents.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/src/org/ofbiz/order/shoppinglist/ShoppingListEvents.java?rev=1719762&r1=1719761&r2=1719762&view=diff
==============================================================================
--- ofbiz/trunk/applications/order/src/org/ofbiz/order/shoppinglist/ShoppingListEvents.java (original)
+++ ofbiz/trunk/applications/order/src/org/ofbiz/order/shoppinglist/ShoppingListEvents.java Sun Dec 13 05:07:47 2015
@@ -669,6 +669,8 @@ public class ShoppingListEvents {
                 Cookie guestShoppingListCookie = new Cookie(guestShoppingUserName, autoSaveListId);
                 guestShoppingListCookie.setMaxAge(cookieAge);
                 guestShoppingListCookie.setPath("/");
+                guestShoppingListCookie.setSecure(true);
+                guestShoppingListCookie.setHttpOnly(true);
                 response.addCookie(guestShoppingListCookie);
             } 
         }
@@ -692,6 +694,8 @@ public class ShoppingListEvents {
         Cookie guestShoppingListCookie = new Cookie(guestShoppingUserName, null);
         guestShoppingListCookie.setMaxAge(0);
         guestShoppingListCookie.setPath("/");
+        guestShoppingListCookie.setSecure(true);
+        guestShoppingListCookie.setHttpOnly(true);
         response.addCookie(guestShoppingListCookie);
         return "success";
     }

Modified: ofbiz/trunk/applications/securityext/src/org/ofbiz/securityext/login/LoginEvents.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/securityext/src/org/ofbiz/securityext/login/LoginEvents.java?rev=1719762&r1=1719761&r2=1719762&view=diff
==============================================================================
--- ofbiz/trunk/applications/securityext/src/org/ofbiz/securityext/login/LoginEvents.java (original)
+++ ofbiz/trunk/applications/securityext/src/org/ofbiz/securityext/login/LoginEvents.java Sun Dec 13 05:07:47 2015
@@ -430,6 +430,8 @@ public class LoginEvents {
                 cookie.setMaxAge(60 * 60 * 24 * 365);
                 cookie.setPath("/");
                 cookie.setDomain(domain);
+                cookie.setSecure(true);
+                cookie.setHttpOnly(true);
                 response.addCookie(cookie);
             }
         }

Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java?rev=1719762&r1=1719761&r2=1719762&view=diff
==============================================================================
--- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java (original)
+++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java Sun Dec 13 05:07:47 2015
@@ -763,6 +763,8 @@ public class LoginWorker {
             autoLoginCookie.setMaxAge(60 * 60 * 24 * 365);
             autoLoginCookie.setDomain(domain);
             autoLoginCookie.setPath("/");
+            autoLoginCookie.setSecure(true);
+            autoLoginCookie.setHttpOnly(true);
             response.addCookie(autoLoginCookie);
             return autoLoginCheck(delegator, session, userLogin.getString("userLoginId"));
         } else {
@@ -833,6 +835,8 @@ public class LoginWorker {
             Cookie autoLoginCookie = new Cookie(getAutoLoginCookieName(request), userLogin.getString("userLoginId"));
             autoLoginCookie.setMaxAge(0);
             autoLoginCookie.setPath("/");
+            autoLoginCookie.setSecure(true);
+            autoLoginCookie.setHttpOnly(true);
             response.addCookie(autoLoginCookie);
         }
         // remove the session attributes

Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java?rev=1719762&r1=1719761&r2=1719762&view=diff
==============================================================================
--- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java (original)
+++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java Sun Dec 13 05:07:47 2015
@@ -1000,14 +1000,25 @@ public class RequestHandler {
                 resp.addHeader("strict-transport-security", strictTransportSecurity);
             }
         } else {
-            if (EntityUtilProperties.getPropertyAsBoolean("requestHandler", "strict-transport-security", true)) { // FIXME later pass req.getAttribute("delegator") as last argument
+            if (EntityUtilProperties.getPropertyAsBoolean("requestHandler", "strict-transport-security", true)) {
                 resp.addHeader("strict-transport-security", "max-age=31536000; includeSubDomains");
             }
         }
         
         //The only x-vontent-type-options defined value, "nosniff", prevents Internet Explorer from MIME-sniffing a response away from the declared content-type. 
         // This also applies to Google Chrome, when downloading extensions.
-        resp.addHeader("x-content-type-options", "nosniff"); 
+        resp.addHeader("x-content-type-options", "nosniff");
+        
+        String setCookie = resp.getHeader("set-cookie");
+        if (UtilValidate.isNotEmpty(setCookie)) {
+            setCookie = setCookie.toLowerCase();
+            if (!setCookie.contains("secure")) {
+            resp.setHeader("set-cookie", setCookie + "; secure;"); // Adds a ";" trail to be sure to separate things
+            }
+            if (!setCookie.contains("httponly")) {
+                resp.setHeader("set-cookie", setCookie + "; httponly;"); // Adds a ";" trail to be sure to separate things
+            }
+        }
 
         try {
             if (Debug.verboseOn()) Debug.logVerbose("Rendering view [" + nextPage + "] of type [" + viewMap.type + "]", module);

Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/stats/VisitHandler.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/stats/VisitHandler.java?rev=1719762&r1=1719761&r2=1719762&view=diff
==============================================================================
--- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/stats/VisitHandler.java (original)
+++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/stats/VisitHandler.java Sun Dec 13 05:07:47 2015
@@ -271,6 +271,8 @@ public class VisitHandler {
                             Cookie visitorCookie = new Cookie(visitorCookieName, visitor.getString("visitorId"));
                             visitorCookie.setMaxAge(60 * 60 * 24 * 365);
                             visitorCookie.setPath("/");
+                            visitorCookie.setSecure(true);
+                            visitorCookie.setHttpOnly(true);
                             response.addCookie(visitorCookie);
                         }
                     }