tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Filip Hanik - Dev Lists <devli...@hanik.com>
Subject Re: svn commit: r694992 - in /tomcat/trunk: java/org/apache/catalina/ java/org/apache/catalina/connector/ java/org/apache/catalina/session/ java/org/apache/tomcat/util/http/ webapps/docs/config/
Date Mon, 15 Sep 2008 15:00:34 GMT
should the default be false, to mimic previous behavior?

Filip

markt@apache.org wrote:
> Author: markt
> Date: Sat Sep 13 10:39:47 2008
> New Revision: 694992
>
> URL: http://svn.apache.org/viewvc?rev=694992&view=rev
> Log:
> Add HttpOnly support to session cookies. It is enabled by default and can be disabled
at via manager configuration.
> Based on a patch by Jim Manico.
>
> Modified:
>     tomcat/trunk/java/org/apache/catalina/Manager.java
>     tomcat/trunk/java/org/apache/catalina/connector/Request.java
>     tomcat/trunk/java/org/apache/catalina/connector/Response.java
>     tomcat/trunk/java/org/apache/catalina/session/ManagerBase.java
>     tomcat/trunk/java/org/apache/tomcat/util/http/ServerCookie.java
>     tomcat/trunk/webapps/docs/config/manager.xml
>
> Modified: tomcat/trunk/java/org/apache/catalina/Manager.java
> URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/Manager.java?rev=694992&r1=694991&r2=694992&view=diff
> ==============================================================================
> --- tomcat/trunk/java/org/apache/catalina/Manager.java (original)
> +++ tomcat/trunk/java/org/apache/catalina/Manager.java Sat Sep 13 10:39:47 2008
> @@ -240,6 +240,24 @@
>      public void setSessionAverageAliveTime(int sessionAverageAliveTime);
>  
>  
> +    /**
> +     * Gets the value of the use HttpOnly cookies for session cookies flag.
> +     * 
> +     * @return <code>true</code> if the HttpOnly flag should be set on session
> +     *         cookies
> +     */
> +    public boolean getUseHttpOnly();
> +
> +
> +    /**
> +     * Sets the use HttpOnly cookies for session cookies flag.
> +     * 
> +     * @param useHttpOnly   Set to <code>true</code> to use HttpOnly cookies
> +     *                          for session cookies
> +     */
> +    public void setUseHttpOnly(boolean useHttpOnly);
> +
> +
>      // --------------------------------------------------------- Public Methods
>  
>  
>
> Modified: tomcat/trunk/java/org/apache/catalina/connector/Request.java
> URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/connector/Request.java?rev=694992&r1=694991&r2=694992&view=diff
> ==============================================================================
> --- tomcat/trunk/java/org/apache/catalina/connector/Request.java (original)
> +++ tomcat/trunk/java/org/apache/catalina/connector/Request.java Sat Sep 13 10:39:47
2008
> @@ -2331,7 +2331,7 @@
>              Cookie cookie = new Cookie(Globals.SESSION_COOKIE_NAME,
>                                         session.getIdInternal());
>              configureSessionCookie(cookie);
> -            response.addCookieInternal(cookie);
> +            response.addCookieInternal(cookie, manager.getUseHttpOnly());
>          }
>  
>          if (session != null) {
>
> Modified: tomcat/trunk/java/org/apache/catalina/connector/Response.java
> URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/connector/Response.java?rev=694992&r1=694991&r2=694992&view=diff
> ==============================================================================
> --- tomcat/trunk/java/org/apache/catalina/connector/Response.java (original)
> +++ tomcat/trunk/java/org/apache/catalina/connector/Response.java Sat Sep 13 10:39:47
2008
> @@ -954,6 +954,17 @@
>       * @param cookie Cookie to be added
>       */
>      public void addCookieInternal(final Cookie cookie) {
> +        addCookieInternal(cookie, false);
> +    }
> +
> +    /**
> +     * Add the specified Cookie to those that will be included with
> +     * this Response.
> +     *
> +     * @param cookie    Cookie to be added
> +     * @param httpOnly  Should the httpOnly falg be set on this cookie
> +     */
> +    public void addCookieInternal(final Cookie cookie, final boolean httpOnly) {
>  
>          if (isCommitted())
>              return;
> @@ -968,7 +979,8 @@
>                          (sb, cookie.getVersion(), cookie.getName(), 
>                           cookie.getValue(), cookie.getPath(), 
>                           cookie.getDomain(), cookie.getComment(), 
> -                         cookie.getMaxAge(), cookie.getSecure());
> +                         cookie.getMaxAge(), cookie.getSecure(),
> +                         httpOnly);
>                      return null;
>                  }
>              });
> @@ -976,7 +988,7 @@
>              ServerCookie.appendCookieValue
>                  (sb, cookie.getVersion(), cookie.getName(), cookie.getValue(),
>                       cookie.getPath(), cookie.getDomain(), cookie.getComment(), 
> -                     cookie.getMaxAge(), cookie.getSecure());
> +                     cookie.getMaxAge(), cookie.getSecure(), httpOnly);
>          }
>          //if we reached here, no exception, cookie is valid
>          // the header name is Set-Cookie for both "old" and v.1 ( RFC2109 )
>
> Modified: tomcat/trunk/java/org/apache/catalina/session/ManagerBase.java
> URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/session/ManagerBase.java?rev=694992&r1=694991&r2=694992&view=diff
> ==============================================================================
> --- tomcat/trunk/java/org/apache/catalina/session/ManagerBase.java (original)
> +++ tomcat/trunk/java/org/apache/catalina/session/ManagerBase.java Sat Sep 13 10:39:47
2008
> @@ -217,7 +217,11 @@
>       */
>      protected PropertyChangeSupport support = new PropertyChangeSupport(this);
>      
> -    
> +    /**
> +     * The flag that indicates that session cookies should use HttpOnly
> +     */
> +    protected boolean useHttpOnly = true;
> +
>      // ------------------------------------------------------------- Security classes
>  
>  
> @@ -655,6 +659,27 @@
>  
>      }
>  
> +    /**
> +     * Gets the value of the use HttpOnly cookies for session cookies flag.
> +     * 
> +     * @return <code>true</code> if the HttpOnly flag should be set on session
> +     *         cookies
> +     */
> +    public boolean getUseHttpOnly() {
> +        return useHttpOnly;
> +    }
> +
> +
> +    /**
> +     * Sets the use HttpOnly cookies for session cookies flag.
> +     * 
> +     * @param useHttpOnly   Set to <code>true</code> to use HttpOnly cookies
> +     *                          for session cookies
> +     */
> +    public void setUseHttpOnly(boolean useHttpOnly) {
> +        this.useHttpOnly = useHttpOnly;
> +    }
> +    
>      // --------------------------------------------------------- Public Methods
>  
>  
>
> Modified: tomcat/trunk/java/org/apache/tomcat/util/http/ServerCookie.java
> URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/http/ServerCookie.java?rev=694992&r1=694991&r2=694992&view=diff
> ==============================================================================
> --- tomcat/trunk/java/org/apache/tomcat/util/http/ServerCookie.java (original)
> +++ tomcat/trunk/java/org/apache/tomcat/util/http/ServerCookie.java Sat Sep 13 10:39:47
2008
> @@ -257,7 +257,8 @@
>                                            String domain,
>                                            String comment,
>                                            int maxAge,
> -                                          boolean isSecure )
> +                                          boolean isSecure,
> +                                          boolean isHttpOnly)
>      {
>          StringBuffer buf = new StringBuffer();
>          // Servlet implementation checks name
> @@ -321,6 +322,10 @@
>            buf.append ("; Secure");
>          }
>          
> +        // HttpOnly
> +        if (isHttpOnly) {
> +            buf.append("; HttpOnly");
> +        }
>          headerBuf.append(buf);
>      }
>  
>
> Modified: tomcat/trunk/webapps/docs/config/manager.xml
> URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/manager.xml?rev=694992&r1=694991&r2=694992&view=diff
> ==============================================================================
> --- tomcat/trunk/webapps/docs/config/manager.xml (original)
> +++ tomcat/trunk/webapps/docs/config/manager.xml Sat Sep 13 10:39:47 2008
> @@ -157,6 +157,12 @@
>          The default is 16.</p>
>        </attribute>
>  
> +      <attribute name="useHttpOnly" required="false">
> +       <p>Should the HttpOnly flag be set on session cookies to prevent client
> +          side script from accessing the session ID? Defaults to
> +          <code>true</code>.</p>
> +      </attribute>
> +
>      </attributes>
>  
>      <h3>Persistent Manager Implementation</h3>
> @@ -264,6 +270,12 @@
>          The default is 16.</p>
>        </attribute>
>  
> +      <attribute name="useHttpOnly" required="false">
> +       <p>Should the HttpOnly flag be set on session cookies to prevent client
> +          side script from accessing the session ID? Defaults to
> +          <code>true</code>.</p>
> +      </attribute>
> +
>      </attributes>
>  
>      <p>In order to successfully use a PersistentManager, you must nest inside
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
>   


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message