Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm
Message-ID: <003f01c371ed$1190dc80$d2b32b04@dslverizon.net>
From: "Bill Barker" <wbarker@wilshire.com>
To: "Tomcat Developers List" <tomcat-dev@jakarta.apache.org>
References: <87ekyyibte.wl%hiroshi@netird.ad.jp>
Subject: Re: [PATCH] Bug 22905 - set secure option in cookie for JSESSIONID
 when communicating via SSL
Date: Wed, 3 Sep 2003 00:29:10 -0700
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_1062573514-24732-78"

------------=_1062573514-24732-78
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

I know that "patches are always welcome", but a variant of this has been in
3.3.2-dev (aka nightly) for a very long time.

----- Original Message ----- 
From: "Kubo Hiroshi" <hiroshi@netird.ad.jp>
To: <tomcat-dev@jakarta.apache.org>
Sent: Wednesday, September 03, 2003 12:13 AM
Subject: [PATCH] Bug 22905 - set secure option in cookie for JSESSIONID when
communicating via SSL


> This patch adds  "secureCookie" option to SessionId Intercepter.
>
> For example,
>
> <SessionId cookiesFirst="true" noCookies="false" secureCookie="true" />
>
> If secureCookie is set to be "true", cookie for JSESSIONID sent via SSL
connection
> will have "Secure" option.
>
> The patch below is for Tomcat-3.3.1a.
>
>
> Hiroshi
>
> ===================================================================
> --- src/share/org/apache/tomcat/modules/session/SessionId.java.orig Wed
Sep  3 15:34:11 2003
> +++ src/share/org/apache/tomcat/modules/session/SessionId.java Wed Sep  3
15:04:22 2003
> @@ -96,6 +96,7 @@
>      boolean noCookies=false;
>      boolean cookiesFirst=true;
>      boolean checkSSLSessionId=false;
> +    boolean secureCookie=false;
>
>      public SessionId() {
>      }
> @@ -112,6 +113,10 @@
>          this.checkSSLSessionId = checkSSLSessionId;
>      }
>
> +    public void setSecureCookie(boolean secureCookie) {
> +        this.secureCookie = secureCookie;
> +    }
> +
>
>      /** Extract the session id from the request.
>       * SessionInterceptor will have to be called _before_ mapper,
> @@ -341,6 +346,9 @@
>   StringBuffer buf = new StringBuffer();
>   buf.append( "JSESSIONID=" ).append( reqSessionId );
>   buf.append( ";Path=" ).append(  sessionPath  );
> + if ( secureCookie && rrequest.isSecure() ) {
> +            buf.append( ";Secure" );
> +        }
>   response.addHeader( "Set-Cookie",
>       buf.toString());
>   if( debug>0) log( "Setting cookie " + buf );
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
>
>


------------=_1062573514-24732-78
Content-Type: text/plain; name="disclaimer.txt"
Content-Disposition: inline; filename="disclaimer.txt"
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)

This message is intended only for the use of the person(s) listed above as the intended recipient(s), and may contain information that is PRIVILEGED and CONFIDENTIAL.  If you are not an intended recipient, you may not read, copy, or distribute this message or any attachment. If you received this communication in error, please notify us immediately by e-mail and then delete all copies of this message and any attachments.

In addition you should be aware that ordinary (unencrypted) e-mail sent through the Internet is not secure. Do not send confidential or sensitive information, such as social security numbers, account numbers, personal identification numbers and passwords, to us via ordinary (unencrypted) e-mail.

------------=_1062573514-24732-78--