tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ma...@apache.org
Subject svn commit: r749019 - in /tomcat/tc6.0.x/trunk: ./ java/org/apache/catalina/ java/org/apache/catalina/connector/ java/org/apache/catalina/session/ java/org/apache/tomcat/util/http/ webapps/docs/ webapps/docs/config/
Date Sun, 01 Mar 2009 12:47:55 GMT
Author: markt
Date: Sun Mar  1 12:47:54 2009
New Revision: 749019

URL: http://svn.apache.org/viewvc?rev=749019&view=rev
Log:
Provide an option to use httpOnly for session cookies. Disabled by default.

Modified:
    tomcat/tc6.0.x/trunk/   (props changed)
    tomcat/tc6.0.x/trunk/STATUS.txt
    tomcat/tc6.0.x/trunk/java/org/apache/catalina/Manager.java
    tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java
    tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Response.java
    tomcat/tc6.0.x/trunk/java/org/apache/catalina/session/ManagerBase.java
    tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/ServerCookie.java
    tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
    tomcat/tc6.0.x/trunk/webapps/docs/config/manager.xml

Propchange: tomcat/tc6.0.x/trunk/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Sun Mar  1 12:47:54 2009
@@ -1 +1 @@
-/tomcat/trunk:601180,606992,612607,630314,652744,653247,673796,673820,683982,684001,684081,684234,684269-684270,685177,687503,687645,689402,690781,691392,691805,692748,695053,695311,696780,696782,698012,698227,698236,698613,699427,699634,701355,709294,709811,709816,710063,710066,710125,710205,711126,711600,712461,712467,718360,719602,719626,719628,720046,720069,721040,723404,723738,726052,727303,728032,728768,728947,729057,729567,729569,729571,729809,729815,729934,730250,730590,731651,732859,732863,734734,740675,740684,747834,748344
+/tomcat/trunk:601180,606992,612607,630314,652744,653247,673796,673820,683982,684001,684081,684234,684269-684270,685177,687503,687645,689402,690781,691392,691805,692748,694992,695053,695311,696780,696782,698012,698227,698236,698613,699427,699634,701355,709294,709811,709816,710063,710066,710125,710205,711126,711600,712461,712467,718360,719602,719626,719628,720046,720069,721040,723404,723738,726052,727303,728032,728768,728947,729057,729567,729569,729571,729809,729815,729934,730250,730590,731651,732859,732863,734734,740675,740684,747834,748344

Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=749019&r1=749018&r2=749019&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Sun Mar  1 12:47:54 2009
@@ -43,19 +43,6 @@
   +1: pero, fhanik, markt, jim
   -1: 
 
-* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=44382
-  Use HttpOnly for session cookies. This is enabled by default. Feel free to
-  caveat your vote with a preference for disabled by default.
-  http://svn.apache.org/viewvc?rev=694992&view=rev
-  +1: mark (prefer enabled, happy with disabled), rjung
-  +1: fhanik - if default value is to not set it for backwards compatibility
-   0: remm (not so elegant, not sure about default value)
-      markt It can be improved once the API is fixed in the 3.0 spec
-      funkman: leave as gap until 3.0 spec
-  -1: 
-  rjung: slightly prefer enabled for 6.0.x because of increased security by default,
-         but disabled for tc5.5.x because of the small risk of breaking existing apps.
-
 * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=45026
   Never use empty reason phrase.
   http://svn.apache.org/viewvc?rev=697183&view=rev

Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/Manager.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/Manager.java?rev=749019&r1=749018&r2=749019&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/Manager.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/Manager.java Sun Mar  1 12:47:54 2009
@@ -240,6 +240,24 @@
     public void setSessionAverageAliveTime(int sessionAverageAliveTime);
 
 
+    /**
+     * Gets the value of the use HttpOnly cookies for session cookies flag.
+     * 
+     * @return <code>true</code> if the HttpOnly flag should be set on session
+     *         cookies
+     */
+    public boolean getUseHttpOnly();
+
+
+    /**
+     * Sets the use HttpOnly cookies for session cookies flag.
+     * 
+     * @param useHttpOnly   Set to <code>true</code> to use HttpOnly cookies
+     *                          for session cookies
+     */
+    public void setUseHttpOnly(boolean useHttpOnly);
+
+
     // --------------------------------------------------------- Public Methods
 
 

Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java?rev=749019&r1=749018&r2=749019&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java Sun Mar  1 12:47:54
2009
@@ -2330,7 +2330,7 @@
             Cookie cookie = new Cookie(Globals.SESSION_COOKIE_NAME,
                                        session.getIdInternal());
             configureSessionCookie(cookie);
-            response.addCookieInternal(cookie);
+            response.addCookieInternal(cookie, manager.getUseHttpOnly());
         }
 
         if (session != null) {

Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Response.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Response.java?rev=749019&r1=749018&r2=749019&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Response.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Response.java Sun Mar  1 12:47:54
2009
@@ -976,6 +976,17 @@
      * @param cookie Cookie to be added
      */
     public void addCookieInternal(final Cookie cookie) {
+        addCookieInternal(cookie, false);
+    }
+
+    /**
+     * Add the specified Cookie to those that will be included with
+     * this Response.
+     *
+     * @param cookie    Cookie to be added
+     * @param httpOnly  Should the httpOnly falg be set on this cookie
+     */
+    public void addCookieInternal(final Cookie cookie, final boolean httpOnly) {
 
         if (isCommitted())
             return;
@@ -990,7 +1001,8 @@
                         (sb, cookie.getVersion(), cookie.getName(), 
                          cookie.getValue(), cookie.getPath(), 
                          cookie.getDomain(), cookie.getComment(), 
-                         cookie.getMaxAge(), cookie.getSecure());
+                         cookie.getMaxAge(), cookie.getSecure(),
+                         httpOnly);
                     return null;
                 }
             });
@@ -998,7 +1010,7 @@
             ServerCookie.appendCookieValue
                 (sb, cookie.getVersion(), cookie.getName(), cookie.getValue(),
                      cookie.getPath(), cookie.getDomain(), cookie.getComment(), 
-                     cookie.getMaxAge(), cookie.getSecure());
+                     cookie.getMaxAge(), cookie.getSecure(), httpOnly);
         }
         //if we reached here, no exception, cookie is valid
         // the header name is Set-Cookie for both "old" and v.1 ( RFC2109 )

Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/session/ManagerBase.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/session/ManagerBase.java?rev=749019&r1=749018&r2=749019&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/session/ManagerBase.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/session/ManagerBase.java Sun Mar  1 12:47:54
2009
@@ -217,7 +217,11 @@
      */
     protected PropertyChangeSupport support = new PropertyChangeSupport(this);
     
-    
+    /**
+     * The flag that indicates that session cookies should use HttpOnly
+     */
+    protected boolean useHttpOnly = false;
+
     // ------------------------------------------------------------- Security classes
 
 
@@ -655,6 +659,27 @@
 
     }
 
+    /**
+     * Gets the value of the use HttpOnly cookies for session cookies flag.
+     * 
+     * @return <code>true</code> if the HttpOnly flag should be set on session
+     *         cookies
+     */
+    public boolean getUseHttpOnly() {
+        return useHttpOnly;
+    }
+
+
+    /**
+     * Sets the use HttpOnly cookies for session cookies flag.
+     * 
+     * @param useHttpOnly   Set to <code>true</code> to use HttpOnly cookies
+     *                          for session cookies
+     */
+    public void setUseHttpOnly(boolean useHttpOnly) {
+        this.useHttpOnly = useHttpOnly;
+    }
+    
     // --------------------------------------------------------- Public Methods
 
 

Modified: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/ServerCookie.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/ServerCookie.java?rev=749019&r1=749018&r2=749019&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/ServerCookie.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/ServerCookie.java Sun Mar  1 12:47:54
2009
@@ -275,7 +275,8 @@
                                           String domain,
                                           String comment,
                                           int maxAge,
-                                          boolean isSecure )
+                                          boolean isSecure,
+                                          boolean isHttpOnly)
     {
         StringBuffer buf = new StringBuffer();
         // Servlet implementation checks name
@@ -343,6 +344,10 @@
           buf.append ("; Secure");
         }
         
+        // HttpOnly
+        if (isHttpOnly) {
+            buf.append("; HttpOnly");
+        }
         headerBuf.append(buf);
     }
 

Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=749019&r1=749018&r2=749019&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Sun Mar  1 12:47:54 2009
@@ -272,6 +272,10 @@
         <bug>46606</bug>: Make the max DEPTH for a WebDAV request configurable.
         The default is still 3. (markt)
       </fix>
+      <add>
+        <bug>44382</bug>: Add support for using httpOnly for session cookies.
+        This is disabled by default. (markt)
+      </add>
     </changelog>
   </subsection>
   <subsection name="Coyote">

Modified: tomcat/tc6.0.x/trunk/webapps/docs/config/manager.xml
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/config/manager.xml?rev=749019&r1=749018&r2=749019&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/config/manager.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/config/manager.xml Sun Mar  1 12:47:54 2009
@@ -157,6 +157,12 @@
         The default is 16.</p>
       </attribute>
 
+      <attribute name="useHttpOnly" required="false">
+       <p>Should the HttpOnly flag be set on session cookies to prevent client
+          side script from accessing the session ID? Defaults to
+          <code>false</code>.</p>
+      </attribute>
+
     </attributes>
 
     <h3>Persistent Manager Implementation</h3>
@@ -264,6 +270,12 @@
         The default is 16.</p>
       </attribute>
 
+      <attribute name="useHttpOnly" required="false">
+       <p>Should the HttpOnly flag be set on session cookies to prevent client
+          side script from accessing the session ID? Defaults to
+          <code>true</code>.</p>
+      </attribute>
+
     </attributes>
 
     <p>In order to successfully use a PersistentManager, you must nest inside



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message