Return-Path: Delivered-To: apmail-tomcat-dev-archive@www.apache.org Received: (qmail 49921 invoked from network); 1 Mar 2009 12:48:25 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 1 Mar 2009 12:48:25 -0000 Received: (qmail 88501 invoked by uid 500); 1 Mar 2009 12:48:18 -0000 Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org Received: (qmail 88439 invoked by uid 500); 1 Mar 2009 12:48:18 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 88428 invoked by uid 99); 1 Mar 2009 12:48:18 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 01 Mar 2009 04:48:17 -0800 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 01 Mar 2009 12:48:16 +0000 Received: by eris.apache.org (Postfix, from userid 65534) id 2FC1C23888CA; Sun, 1 Mar 2009 12:47:56 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r749019 - in /tomcat/tc6.0.x/trunk: ./ java/org/apache/catalina/ java/org/apache/catalina/connector/ java/org/apache/catalina/session/ java/org/apache/tomcat/util/http/ webapps/docs/ webapps/docs/config/ Date: Sun, 01 Mar 2009 12:47:55 -0000 To: dev@tomcat.apache.org From: markt@apache.org X-Mailer: svnmailer-1.0.8 Message-Id: <20090301124756.2FC1C23888CA@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: markt Date: Sun Mar 1 12:47:54 2009 New Revision: 749019 URL: http://svn.apache.org/viewvc?rev=749019&view=rev Log: Provide an option to use httpOnly for session cookies. Disabled by default. Modified: tomcat/tc6.0.x/trunk/ (props changed) tomcat/tc6.0.x/trunk/STATUS.txt tomcat/tc6.0.x/trunk/java/org/apache/catalina/Manager.java tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Response.java tomcat/tc6.0.x/trunk/java/org/apache/catalina/session/ManagerBase.java tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/ServerCookie.java tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml tomcat/tc6.0.x/trunk/webapps/docs/config/manager.xml Propchange: tomcat/tc6.0.x/trunk/ ------------------------------------------------------------------------------ --- svn:mergeinfo (original) +++ svn:mergeinfo Sun Mar 1 12:47:54 2009 @@ -1 +1 @@ -/tomcat/trunk:601180,606992,612607,630314,652744,653247,673796,673820,683982,684001,684081,684234,684269-684270,685177,687503,687645,689402,690781,691392,691805,692748,695053,695311,696780,696782,698012,698227,698236,698613,699427,699634,701355,709294,709811,709816,710063,710066,710125,710205,711126,711600,712461,712467,718360,719602,719626,719628,720046,720069,721040,723404,723738,726052,727303,728032,728768,728947,729057,729567,729569,729571,729809,729815,729934,730250,730590,731651,732859,732863,734734,740675,740684,747834,748344 +/tomcat/trunk:601180,606992,612607,630314,652744,653247,673796,673820,683982,684001,684081,684234,684269-684270,685177,687503,687645,689402,690781,691392,691805,692748,694992,695053,695311,696780,696782,698012,698227,698236,698613,699427,699634,701355,709294,709811,709816,710063,710066,710125,710205,711126,711600,712461,712467,718360,719602,719626,719628,720046,720069,721040,723404,723738,726052,727303,728032,728768,728947,729057,729567,729569,729571,729809,729815,729934,730250,730590,731651,732859,732863,734734,740675,740684,747834,748344 Modified: tomcat/tc6.0.x/trunk/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=749019&r1=749018&r2=749019&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/STATUS.txt (original) +++ tomcat/tc6.0.x/trunk/STATUS.txt Sun Mar 1 12:47:54 2009 @@ -43,19 +43,6 @@ +1: pero, fhanik, markt, jim -1: -* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=44382 - Use HttpOnly for session cookies. This is enabled by default. Feel free to - caveat your vote with a preference for disabled by default. - http://svn.apache.org/viewvc?rev=694992&view=rev - +1: mark (prefer enabled, happy with disabled), rjung - +1: fhanik - if default value is to not set it for backwards compatibility - 0: remm (not so elegant, not sure about default value) - markt It can be improved once the API is fixed in the 3.0 spec - funkman: leave as gap until 3.0 spec - -1: - rjung: slightly prefer enabled for 6.0.x because of increased security by default, - but disabled for tc5.5.x because of the small risk of breaking existing apps. - * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=45026 Never use empty reason phrase. http://svn.apache.org/viewvc?rev=697183&view=rev Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/Manager.java URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/Manager.java?rev=749019&r1=749018&r2=749019&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/java/org/apache/catalina/Manager.java (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/Manager.java Sun Mar 1 12:47:54 2009 @@ -240,6 +240,24 @@ public void setSessionAverageAliveTime(int sessionAverageAliveTime); + /** + * Gets the value of the use HttpOnly cookies for session cookies flag. + * + * @return true if the HttpOnly flag should be set on session + * cookies + */ + public boolean getUseHttpOnly(); + + + /** + * Sets the use HttpOnly cookies for session cookies flag. + * + * @param useHttpOnly Set to true to use HttpOnly cookies + * for session cookies + */ + public void setUseHttpOnly(boolean useHttpOnly); + + // --------------------------------------------------------- Public Methods Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java?rev=749019&r1=749018&r2=749019&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java Sun Mar 1 12:47:54 2009 @@ -2330,7 +2330,7 @@ Cookie cookie = new Cookie(Globals.SESSION_COOKIE_NAME, session.getIdInternal()); configureSessionCookie(cookie); - response.addCookieInternal(cookie); + response.addCookieInternal(cookie, manager.getUseHttpOnly()); } if (session != null) { Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Response.java URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Response.java?rev=749019&r1=749018&r2=749019&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Response.java (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Response.java Sun Mar 1 12:47:54 2009 @@ -976,6 +976,17 @@ * @param cookie Cookie to be added */ public void addCookieInternal(final Cookie cookie) { + addCookieInternal(cookie, false); + } + + /** + * Add the specified Cookie to those that will be included with + * this Response. + * + * @param cookie Cookie to be added + * @param httpOnly Should the httpOnly falg be set on this cookie + */ + public void addCookieInternal(final Cookie cookie, final boolean httpOnly) { if (isCommitted()) return; @@ -990,7 +1001,8 @@ (sb, cookie.getVersion(), cookie.getName(), cookie.getValue(), cookie.getPath(), cookie.getDomain(), cookie.getComment(), - cookie.getMaxAge(), cookie.getSecure()); + cookie.getMaxAge(), cookie.getSecure(), + httpOnly); return null; } }); @@ -998,7 +1010,7 @@ ServerCookie.appendCookieValue (sb, cookie.getVersion(), cookie.getName(), cookie.getValue(), cookie.getPath(), cookie.getDomain(), cookie.getComment(), - cookie.getMaxAge(), cookie.getSecure()); + cookie.getMaxAge(), cookie.getSecure(), httpOnly); } //if we reached here, no exception, cookie is valid // the header name is Set-Cookie for both "old" and v.1 ( RFC2109 ) Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/session/ManagerBase.java URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/session/ManagerBase.java?rev=749019&r1=749018&r2=749019&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/java/org/apache/catalina/session/ManagerBase.java (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/session/ManagerBase.java Sun Mar 1 12:47:54 2009 @@ -217,7 +217,11 @@ */ protected PropertyChangeSupport support = new PropertyChangeSupport(this); - + /** + * The flag that indicates that session cookies should use HttpOnly + */ + protected boolean useHttpOnly = false; + // ------------------------------------------------------------- Security classes @@ -655,6 +659,27 @@ } + /** + * Gets the value of the use HttpOnly cookies for session cookies flag. + * + * @return true if the HttpOnly flag should be set on session + * cookies + */ + public boolean getUseHttpOnly() { + return useHttpOnly; + } + + + /** + * Sets the use HttpOnly cookies for session cookies flag. + * + * @param useHttpOnly Set to true to use HttpOnly cookies + * for session cookies + */ + public void setUseHttpOnly(boolean useHttpOnly) { + this.useHttpOnly = useHttpOnly; + } + // --------------------------------------------------------- Public Methods Modified: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/ServerCookie.java URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/ServerCookie.java?rev=749019&r1=749018&r2=749019&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/ServerCookie.java (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/ServerCookie.java Sun Mar 1 12:47:54 2009 @@ -275,7 +275,8 @@ String domain, String comment, int maxAge, - boolean isSecure ) + boolean isSecure, + boolean isHttpOnly) { StringBuffer buf = new StringBuffer(); // Servlet implementation checks name @@ -343,6 +344,10 @@ buf.append ("; Secure"); } + // HttpOnly + if (isHttpOnly) { + buf.append("; HttpOnly"); + } headerBuf.append(buf); } Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=749019&r1=749018&r2=749019&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original) +++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Sun Mar 1 12:47:54 2009 @@ -272,6 +272,10 @@ 46606: Make the max DEPTH for a WebDAV request configurable. The default is still 3. (markt) + + 44382: Add support for using httpOnly for session cookies. + This is disabled by default. (markt) + Modified: tomcat/tc6.0.x/trunk/webapps/docs/config/manager.xml URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/config/manager.xml?rev=749019&r1=749018&r2=749019&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/webapps/docs/config/manager.xml (original) +++ tomcat/tc6.0.x/trunk/webapps/docs/config/manager.xml Sun Mar 1 12:47:54 2009 @@ -157,6 +157,12 @@ The default is 16.

+ +

Should the HttpOnly flag be set on session cookies to prevent client + side script from accessing the session ID? Defaults to + false.

+ +

Persistent Manager Implementation

@@ -264,6 +270,12 @@ The default is 16.

+ +

Should the HttpOnly flag be set on session cookies to prevent client + side script from accessing the session ID? Defaults to + true.

+ +

In order to successfully use a PersistentManager, you must nest inside --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org