tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: svn commit: r694992 - in /tomcat/trunk: java/org/apache/catalina/ java/org/apache/catalina/connector/ java/org/apache/catalina/session/ java/org/apache/tomcat/util/http/ webapps/docs/config/
Date Mon, 15 Sep 2008 15:53:29 GMT
Filip Hanik - Dev Lists wrote:
> should the default be false, to mimic previous behavior?

For trunk I would argue not. For 6.0.x and 5.5.x I also favour enabled by
default but you can vote either way and I'll only commit enabled if it gets
enough votes.

Mark

> 
> Filip
> 
> markt@apache.org wrote:
>> Author: markt
>> Date: Sat Sep 13 10:39:47 2008
>> New Revision: 694992
>>
>> URL: http://svn.apache.org/viewvc?rev=694992&view=rev
>> Log:
>> Add HttpOnly support to session cookies. It is enabled by default and
>> can be disabled at via manager configuration.
>> Based on a patch by Jim Manico.
>>
>> Modified:
>>     tomcat/trunk/java/org/apache/catalina/Manager.java
>>     tomcat/trunk/java/org/apache/catalina/connector/Request.java
>>     tomcat/trunk/java/org/apache/catalina/connector/Response.java
>>     tomcat/trunk/java/org/apache/catalina/session/ManagerBase.java
>>     tomcat/trunk/java/org/apache/tomcat/util/http/ServerCookie.java
>>     tomcat/trunk/webapps/docs/config/manager.xml
>>
>> Modified: tomcat/trunk/java/org/apache/catalina/Manager.java
>> URL:
>> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/Manager.java?rev=694992&r1=694991&r2=694992&view=diff
>>
>> ==============================================================================
>>
>> --- tomcat/trunk/java/org/apache/catalina/Manager.java (original)
>> +++ tomcat/trunk/java/org/apache/catalina/Manager.java Sat Sep 13
>> 10:39:47 2008
>> @@ -240,6 +240,24 @@
>>      public void setSessionAverageAliveTime(int sessionAverageAliveTime);
>>  
>>  
>> +    /**
>> +     * Gets the value of the use HttpOnly cookies for session cookies
>> flag.
>> +     * +     * @return <code>true</code> if the HttpOnly flag should
>> be set on session
>> +     *         cookies
>> +     */
>> +    public boolean getUseHttpOnly();
>> +
>> +
>> +    /**
>> +     * Sets the use HttpOnly cookies for session cookies flag.
>> +     * +     * @param useHttpOnly   Set to <code>true</code> to use
>> HttpOnly cookies
>> +     *                          for session cookies
>> +     */
>> +    public void setUseHttpOnly(boolean useHttpOnly);
>> +
>> +
>>      // ---------------------------------------------------------
>> Public Methods
>>  
>>  
>>
>> Modified: tomcat/trunk/java/org/apache/catalina/connector/Request.java
>> URL:
>> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/connector/Request.java?rev=694992&r1=694991&r2=694992&view=diff
>>
>> ==============================================================================
>>
>> --- tomcat/trunk/java/org/apache/catalina/connector/Request.java
>> (original)
>> +++ tomcat/trunk/java/org/apache/catalina/connector/Request.java Sat
>> Sep 13 10:39:47 2008
>> @@ -2331,7 +2331,7 @@
>>              Cookie cookie = new Cookie(Globals.SESSION_COOKIE_NAME,
>>                                         session.getIdInternal());
>>              configureSessionCookie(cookie);
>> -            response.addCookieInternal(cookie);
>> +            response.addCookieInternal(cookie,
>> manager.getUseHttpOnly());
>>          }
>>  
>>          if (session != null) {
>>
>> Modified: tomcat/trunk/java/org/apache/catalina/connector/Response.java
>> URL:
>> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/connector/Response.java?rev=694992&r1=694991&r2=694992&view=diff
>>
>> ==============================================================================
>>
>> --- tomcat/trunk/java/org/apache/catalina/connector/Response.java
>> (original)
>> +++ tomcat/trunk/java/org/apache/catalina/connector/Response.java Sat
>> Sep 13 10:39:47 2008
>> @@ -954,6 +954,17 @@
>>       * @param cookie Cookie to be added
>>       */
>>      public void addCookieInternal(final Cookie cookie) {
>> +        addCookieInternal(cookie, false);
>> +    }
>> +
>> +    /**
>> +     * Add the specified Cookie to those that will be included with
>> +     * this Response.
>> +     *
>> +     * @param cookie    Cookie to be added
>> +     * @param httpOnly  Should the httpOnly falg be set on this cookie
>> +     */
>> +    public void addCookieInternal(final Cookie cookie, final boolean
>> httpOnly) {
>>  
>>          if (isCommitted())
>>              return;
>> @@ -968,7 +979,8 @@
>>                          (sb, cookie.getVersion(), cookie.getName(),
>>                           cookie.getValue(), cookie.getPath(),
>>                           cookie.getDomain(), cookie.getComment(),
>> -                         cookie.getMaxAge(), cookie.getSecure());
>> +                         cookie.getMaxAge(), cookie.getSecure(),
>> +                         httpOnly);
>>                      return null;
>>                  }
>>              });
>> @@ -976,7 +988,7 @@
>>              ServerCookie.appendCookieValue
>>                  (sb, cookie.getVersion(), cookie.getName(),
>> cookie.getValue(),
>>                       cookie.getPath(), cookie.getDomain(),
>> cookie.getComment(), -                     cookie.getMaxAge(),
>> cookie.getSecure());
>> +                     cookie.getMaxAge(), cookie.getSecure(), httpOnly);
>>          }
>>          //if we reached here, no exception, cookie is valid
>>          // the header name is Set-Cookie for both "old" and v.1 (
>> RFC2109 )
>>
>> Modified: tomcat/trunk/java/org/apache/catalina/session/ManagerBase.java
>> URL:
>> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/session/ManagerBase.java?rev=694992&r1=694991&r2=694992&view=diff
>>
>> ==============================================================================
>>
>> --- tomcat/trunk/java/org/apache/catalina/session/ManagerBase.java
>> (original)
>> +++ tomcat/trunk/java/org/apache/catalina/session/ManagerBase.java Sat
>> Sep 13 10:39:47 2008
>> @@ -217,7 +217,11 @@
>>       */
>>      protected PropertyChangeSupport support = new
>> PropertyChangeSupport(this);
>>      -    +    /**
>> +     * The flag that indicates that session cookies should use HttpOnly
>> +     */
>> +    protected boolean useHttpOnly = true;
>> +
>>      // -------------------------------------------------------------
>> Security classes
>>  
>>  
>> @@ -655,6 +659,27 @@
>>  
>>      }
>>  
>> +    /**
>> +     * Gets the value of the use HttpOnly cookies for session cookies
>> flag.
>> +     * +     * @return <code>true</code> if the HttpOnly flag should
>> be set on session
>> +     *         cookies
>> +     */
>> +    public boolean getUseHttpOnly() {
>> +        return useHttpOnly;
>> +    }
>> +
>> +
>> +    /**
>> +     * Sets the use HttpOnly cookies for session cookies flag.
>> +     * +     * @param useHttpOnly   Set to <code>true</code> to use
>> HttpOnly cookies
>> +     *                          for session cookies
>> +     */
>> +    public void setUseHttpOnly(boolean useHttpOnly) {
>> +        this.useHttpOnly = useHttpOnly;
>> +    }
>> +         // ---------------------------------------------------------
>> Public Methods
>>  
>>  
>>
>> Modified: tomcat/trunk/java/org/apache/tomcat/util/http/ServerCookie.java
>> URL:
>> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/http/ServerCookie.java?rev=694992&r1=694991&r2=694992&view=diff
>>
>> ==============================================================================
>>
>> --- tomcat/trunk/java/org/apache/tomcat/util/http/ServerCookie.java
>> (original)
>> +++ tomcat/trunk/java/org/apache/tomcat/util/http/ServerCookie.java
>> Sat Sep 13 10:39:47 2008
>> @@ -257,7 +257,8 @@
>>                                            String domain,
>>                                            String comment,
>>                                            int maxAge,
>> -                                          boolean isSecure )
>> +                                          boolean isSecure,
>> +                                          boolean isHttpOnly)
>>      {
>>          StringBuffer buf = new StringBuffer();
>>          // Servlet implementation checks name
>> @@ -321,6 +322,10 @@
>>            buf.append ("; Secure");
>>          }
>>          +        // HttpOnly
>> +        if (isHttpOnly) {
>> +            buf.append("; HttpOnly");
>> +        }
>>          headerBuf.append(buf);
>>      }
>>  
>>
>> Modified: tomcat/trunk/webapps/docs/config/manager.xml
>> URL:
>> http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/manager.xml?rev=694992&r1=694991&r2=694992&view=diff
>>
>> ==============================================================================
>>
>> --- tomcat/trunk/webapps/docs/config/manager.xml (original)
>> +++ tomcat/trunk/webapps/docs/config/manager.xml Sat Sep 13 10:39:47 2008
>> @@ -157,6 +157,12 @@
>>          The default is 16.</p>
>>        </attribute>
>>  
>> +      <attribute name="useHttpOnly" required="false">
>> +       <p>Should the HttpOnly flag be set on session cookies to
>> prevent client
>> +          side script from accessing the session ID? Defaults to
>> +          <code>true</code>.</p>
>> +      </attribute>
>> +
>>      </attributes>
>>  
>>      <h3>Persistent Manager Implementation</h3>
>> @@ -264,6 +270,12 @@
>>          The default is 16.</p>
>>        </attribute>
>>  
>> +      <attribute name="useHttpOnly" required="false">
>> +       <p>Should the HttpOnly flag be set on session cookies to
>> prevent client
>> +          side script from accessing the session ID? Defaults to
>> +          <code>true</code>.</p>
>> +      </attribute>
>> +
>>      </attributes>
>>  
>>      <p>In order to successfully use a PersistentManager, you must
>> nest inside
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>
>>
>>   
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
> 
> 



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message