svn commit: r694992 - in /tomcat/trunk: java/org/apache/catalina/ java/org/apache/catalina/connector/ java/org/apache/catalina/session/ java/org/apache/tomcat/util/http/ webapps/docs/config/

markt Sat, 13 Sep 2008 10:40:46 -0700

Author: markt
Date: Sat Sep 13 10:39:47 2008
New Revision: 694992

URL: http://svn.apache.org/viewvc?rev=694992&view=rev
Log:
Add HttpOnly support to session cookies. It is enabled by default and can be 
disabled at via manager configuration.
Based on a patch by Jim Manico.


Modified:
    tomcat/trunk/java/org/apache/catalina/Manager.java
    tomcat/trunk/java/org/apache/catalina/connector/Request.java
    tomcat/trunk/java/org/apache/catalina/connector/Response.java
    tomcat/trunk/java/org/apache/catalina/session/ManagerBase.java
    tomcat/trunk/java/org/apache/tomcat/util/http/ServerCookie.java
    tomcat/trunk/webapps/docs/config/manager.xml

Modified: tomcat/trunk/java/org/apache/catalina/Manager.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/Manager.java?rev=694992&r1=694991&r2=694992&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/Manager.java (original)
+++ tomcat/trunk/java/org/apache/catalina/Manager.java Sat Sep 13 10:39:47 2008
@@ -240,6 +240,24 @@
     public void setSessionAverageAliveTime(int sessionAverageAliveTime);
 
 
+    /**
+     * Gets the value of the use HttpOnly cookies for session cookies flag.
+     * 
+     * @return <code>true</code> if the HttpOnly flag should be set on session
+     *         cookies
+     */
+    public boolean getUseHttpOnly();
+
+
+    /**
+     * Sets the use HttpOnly cookies for session cookies flag.
+     * 
+     * @param useHttpOnly   Set to <code>true</code> to use HttpOnly cookies
+     *                          for session cookies
+     */
+    public void setUseHttpOnly(boolean useHttpOnly);
+
+
     // --------------------------------------------------------- Public Methods
 
 

Modified: tomcat/trunk/java/org/apache/catalina/connector/Request.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/connector/Request.java?rev=694992&r1=694991&r2=694992&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/connector/Request.java (original)
+++ tomcat/trunk/java/org/apache/catalina/connector/Request.java Sat Sep 13 
10:39:47 2008
@@ -2331,7 +2331,7 @@
             Cookie cookie = new Cookie(Globals.SESSION_COOKIE_NAME,
                                        session.getIdInternal());
             configureSessionCookie(cookie);
-            response.addCookieInternal(cookie);
+            response.addCookieInternal(cookie, manager.getUseHttpOnly());
         }
 
         if (session != null) {

Modified: tomcat/trunk/java/org/apache/catalina/connector/Response.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/connector/Response.java?rev=694992&r1=694991&r2=694992&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/connector/Response.java (original)
+++ tomcat/trunk/java/org/apache/catalina/connector/Response.java Sat Sep 13 
10:39:47 2008
@@ -954,6 +954,17 @@
      * @param cookie Cookie to be added
      */
     public void addCookieInternal(final Cookie cookie) {
+        addCookieInternal(cookie, false);
+    }
+
+    /**
+     * Add the specified Cookie to those that will be included with
+     * this Response.
+     *
+     * @param cookie    Cookie to be added
+     * @param httpOnly  Should the httpOnly falg be set on this cookie
+     */
+    public void addCookieInternal(final Cookie cookie, final boolean httpOnly) 
{
 
         if (isCommitted())
             return;
@@ -968,7 +979,8 @@
                         (sb, cookie.getVersion(), cookie.getName(), 
                          cookie.getValue(), cookie.getPath(), 
                          cookie.getDomain(), cookie.getComment(), 
-                         cookie.getMaxAge(), cookie.getSecure());
+                         cookie.getMaxAge(), cookie.getSecure(),
+                         httpOnly);
                     return null;
                 }
             });
@@ -976,7 +988,7 @@
             ServerCookie.appendCookieValue
                 (sb, cookie.getVersion(), cookie.getName(), cookie.getValue(),
                      cookie.getPath(), cookie.getDomain(), 
cookie.getComment(), 
-                     cookie.getMaxAge(), cookie.getSecure());
+                     cookie.getMaxAge(), cookie.getSecure(), httpOnly);
         }
         //if we reached here, no exception, cookie is valid
         // the header name is Set-Cookie for both "old" and v.1 ( RFC2109 )

Modified: tomcat/trunk/java/org/apache/catalina/session/ManagerBase.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/session/ManagerBase.java?rev=694992&r1=694991&r2=694992&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/session/ManagerBase.java (original)
+++ tomcat/trunk/java/org/apache/catalina/session/ManagerBase.java Sat Sep 13 
10:39:47 2008
@@ -217,7 +217,11 @@
      */
     protected PropertyChangeSupport support = new PropertyChangeSupport(this);
     
-    
+    /**
+     * The flag that indicates that session cookies should use HttpOnly
+     */
+    protected boolean useHttpOnly = true;
+
     // ------------------------------------------------------------- Security 
classes
 
 
@@ -655,6 +659,27 @@
 
     }
 
+    /**
+     * Gets the value of the use HttpOnly cookies for session cookies flag.
+     * 
+     * @return <code>true</code> if the HttpOnly flag should be set on session
+     *         cookies
+     */
+    public boolean getUseHttpOnly() {
+        return useHttpOnly;
+    }
+
+
+    /**
+     * Sets the use HttpOnly cookies for session cookies flag.
+     * 
+     * @param useHttpOnly   Set to <code>true</code> to use HttpOnly cookies
+     *                          for session cookies
+     */
+    public void setUseHttpOnly(boolean useHttpOnly) {
+        this.useHttpOnly = useHttpOnly;
+    }
+    
     // --------------------------------------------------------- Public Methods
 
 

Modified: tomcat/trunk/java/org/apache/tomcat/util/http/ServerCookie.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/http/ServerCookie.java?rev=694992&r1=694991&r2=694992&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/http/ServerCookie.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/http/ServerCookie.java Sat Sep 13 
10:39:47 2008
@@ -257,7 +257,8 @@
                                           String domain,
                                           String comment,
                                           int maxAge,
-                                          boolean isSecure )
+                                          boolean isSecure,
+                                          boolean isHttpOnly)
     {
         StringBuffer buf = new StringBuffer();
         // Servlet implementation checks name
@@ -321,6 +322,10 @@
           buf.append ("; Secure");
         }
         
+        // HttpOnly
+        if (isHttpOnly) {
+            buf.append("; HttpOnly");
+        }
         headerBuf.append(buf);
     }
 

Modified: tomcat/trunk/webapps/docs/config/manager.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/manager.xml?rev=694992&r1=694991&r2=694992&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/manager.xml (original)
+++ tomcat/trunk/webapps/docs/config/manager.xml Sat Sep 13 10:39:47 2008
@@ -157,6 +157,12 @@
         The default is 16.</p>
       </attribute>
 
+      <attribute name="useHttpOnly" required="false">
+       <p>Should the HttpOnly flag be set on session cookies to prevent client
+          side script from accessing the session ID? Defaults to
+          <code>true</code>.</p>
+      </attribute>
+
     </attributes>
 
     <h3>Persistent Manager Implementation</h3>
@@ -264,6 +270,12 @@
         The default is 16.</p>
       </attribute>
 
+      <attribute name="useHttpOnly" required="false">
+       <p>Should the HttpOnly flag be set on session cookies to prevent client
+          side script from accessing the session ID? Defaults to
+          <code>true</code>.</p>
+      </attribute>
+
     </attributes>
 
     <p>In order to successfully use a PersistentManager, you must nest inside



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

svn commit: r694992 - in /tomcat/trunk: java/org/apache/catalina/ java/org/apache/catalina/connector/ java/org/apache/catalina/session/ java/org/apache/tomcat/util/http/ webapps/docs/config/

Reply via email to