tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kubo Hiroshi <hiro...@netird.ad.jp>
Subject [PATCH] Bug 22905 - set secure option in cookie for JSESSIONID when communicating via SSL
Date Wed, 03 Sep 2003 07:13:49 GMT
This patch adds  "secureCookie" option to SessionId Intercepter.

For example, 

<SessionId cookiesFirst="true" noCookies="false" secureCookie="true" />

If secureCookie is set to be "true", cookie for JSESSIONID sent via SSL connection
will have "Secure" option.

The patch below is for Tomcat-3.3.1a.


Hiroshi

===================================================================
--- src/share/org/apache/tomcat/modules/session/SessionId.java.orig	Wed Sep  3 15:34:11 2003
+++ src/share/org/apache/tomcat/modules/session/SessionId.java	Wed Sep  3 15:04:22 2003
@@ -96,6 +96,7 @@
     boolean noCookies=false;
     boolean cookiesFirst=true;
     boolean checkSSLSessionId=false;
+    boolean secureCookie=false;
     
     public SessionId() {
     }
@@ -112,6 +113,10 @@
         this.checkSSLSessionId = checkSSLSessionId;
     }
 
+    public void setSecureCookie(boolean secureCookie) {
+        this.secureCookie = secureCookie;
+    }
+
     
     /** Extract the session id from the request.
      * SessionInterceptor will have to be called _before_ mapper,
@@ -341,6 +346,9 @@
 	StringBuffer buf = new StringBuffer();
 	buf.append( "JSESSIONID=" ).append( reqSessionId );
 	buf.append( ";Path=" ).append(  sessionPath  );
+	if ( secureCookie && rrequest.isSecure() ) {
+            buf.append( ";Secure" );
+        }
 	response.addHeader( "Set-Cookie",
 			    buf.toString());
 	if( debug>0) log( "Setting cookie " + buf );

Mime
View raw message