Author: markt
Date: Sun Mar 1 12:47:54 2009
New Revision: 749019
URL: http://svn.apache.org/viewvc?rev=749019&view=rev
Log:
Provide an option to use httpOnly for session cookies. Disabled by default.
Modified:
tomcat/tc6.0.x/trunk/ (props changed)
tomcat/tc6.0.x/trunk/STATUS.txt
tomcat/tc6.0.x/trunk/java/org/apache/catalina/Manager.java
tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java
tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Response.java
tomcat/tc6.0.x/trunk/java/org/apache/catalina/session/ManagerBase.java
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/ServerCookie.java
tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
tomcat/tc6.0.x/trunk/webapps/docs/config/manager.xml
Propchange: tomcat/tc6.0.x/trunk/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Sun Mar 1 12:47:54 2009
@@ -1 +1 @@
-/tomcat/trunk:601180,606992,612607,630314,652744,653247,673796,673820,683982,684001,684081,684234,684269-684270,685177,687503,687645,689402,690781,691392,691805,692748,695053,695311,696780,696782,698012,698227,698236,698613,699427,699634,701355,709294,709811,709816,710063,710066,710125,710205,711126,711600,712461,712467,718360,719602,719626,719628,720046,720069,721040,723404,723738,726052,727303,728032,728768,728947,729057,729567,729569,729571,729809,729815,729934,730250,730590,731651,732859,732863,734734,740675,740684,747834,748344
+/tomcat/trunk:601180,606992,612607,630314,652744,653247,673796,673820,683982,684001,684081,684234,684269-684270,685177,687503,687645,689402,690781,691392,691805,692748,694992,695053,695311,696780,696782,698012,698227,698236,698613,699427,699634,701355,709294,709811,709816,710063,710066,710125,710205,711126,711600,712461,712467,718360,719602,719626,719628,720046,720069,721040,723404,723738,726052,727303,728032,728768,728947,729057,729567,729569,729571,729809,729815,729934,730250,730590,731651,732859,732863,734734,740675,740684,747834,748344
Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=749019&r1=749018&r2=749019&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Sun Mar 1 12:47:54 2009
@@ -43,19 +43,6 @@
+1: pero, fhanik, markt, jim
-1:
-* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=44382
- Use HttpOnly for session cookies. This is enabled by default. Feel free to
- caveat your vote with a preference for disabled by default.
- http://svn.apache.org/viewvc?rev=694992&view=rev
- +1: mark (prefer enabled, happy with disabled), rjung
- +1: fhanik - if default value is to not set it for backwards compatibility
- 0: remm (not so elegant, not sure about default value)
- markt It can be improved once the API is fixed in the 3.0 spec
- funkman: leave as gap until 3.0 spec
- -1:
- rjung: slightly prefer enabled for 6.0.x because of increased security by
default,
- but disabled for tc5.5.x because of the small risk of breaking
existing apps.
-
* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=45026
Never use empty reason phrase.
http://svn.apache.org/viewvc?rev=697183&view=rev
Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/Manager.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/Manager.java?rev=749019&r1=749018&r2=749019&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/Manager.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/Manager.java Sun Mar 1
12:47:54 2009
@@ -240,6 +240,24 @@
public void setSessionAverageAliveTime(int sessionAverageAliveTime);
+ /**
+ * Gets the value of the use HttpOnly cookies for session cookies flag.
+ *
+ * @return <code>true</code> if the HttpOnly flag should be set on session
+ * cookies
+ */
+ public boolean getUseHttpOnly();
+
+
+ /**
+ * Sets the use HttpOnly cookies for session cookies flag.
+ *
+ * @param useHttpOnly Set to <code>true</code> to use HttpOnly cookies
+ * for session cookies
+ */
+ public void setUseHttpOnly(boolean useHttpOnly);
+
+
// --------------------------------------------------------- Public Methods
Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java?rev=749019&r1=749018&r2=749019&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java Sun
Mar 1 12:47:54 2009
@@ -2330,7 +2330,7 @@
Cookie cookie = new Cookie(Globals.SESSION_COOKIE_NAME,
session.getIdInternal());
configureSessionCookie(cookie);
- response.addCookieInternal(cookie);
+ response.addCookieInternal(cookie, manager.getUseHttpOnly());
}
if (session != null) {
Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Response.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Response.java?rev=749019&r1=749018&r2=749019&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Response.java
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Response.java Sun
Mar 1 12:47:54 2009
@@ -976,6 +976,17 @@
* @param cookie Cookie to be added
*/
public void addCookieInternal(final Cookie cookie) {
+ addCookieInternal(cookie, false);
+ }
+
+ /**
+ * Add the specified Cookie to those that will be included with
+ * this Response.
+ *
+ * @param cookie Cookie to be added
+ * @param httpOnly Should the httpOnly falg be set on this cookie
+ */
+ public void addCookieInternal(final Cookie cookie, final boolean httpOnly)
{
if (isCommitted())
return;
@@ -990,7 +1001,8 @@
(sb, cookie.getVersion(), cookie.getName(),
cookie.getValue(), cookie.getPath(),
cookie.getDomain(), cookie.getComment(),
- cookie.getMaxAge(), cookie.getSecure());
+ cookie.getMaxAge(), cookie.getSecure(),
+ httpOnly);
return null;
}
});
@@ -998,7 +1010,7 @@
ServerCookie.appendCookieValue
(sb, cookie.getVersion(), cookie.getName(), cookie.getValue(),
cookie.getPath(), cookie.getDomain(),
cookie.getComment(),
- cookie.getMaxAge(), cookie.getSecure());
+ cookie.getMaxAge(), cookie.getSecure(), httpOnly);
}
//if we reached here, no exception, cookie is valid
// the header name is Set-Cookie for both "old" and v.1 ( RFC2109 )
Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/session/ManagerBase.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/session/ManagerBase.java?rev=749019&r1=749018&r2=749019&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/session/ManagerBase.java
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/session/ManagerBase.java Sun
Mar 1 12:47:54 2009
@@ -217,7 +217,11 @@
*/
protected PropertyChangeSupport support = new PropertyChangeSupport(this);
-
+ /**
+ * The flag that indicates that session cookies should use HttpOnly
+ */
+ protected boolean useHttpOnly = false;
+
// ------------------------------------------------------------- Security
classes
@@ -655,6 +659,27 @@
}
+ /**
+ * Gets the value of the use HttpOnly cookies for session cookies flag.
+ *
+ * @return <code>true</code> if the HttpOnly flag should be set on session
+ * cookies
+ */
+ public boolean getUseHttpOnly() {
+ return useHttpOnly;
+ }
+
+
+ /**
+ * Sets the use HttpOnly cookies for session cookies flag.
+ *
+ * @param useHttpOnly Set to <code>true</code> to use HttpOnly cookies
+ * for session cookies
+ */
+ public void setUseHttpOnly(boolean useHttpOnly) {
+ this.useHttpOnly = useHttpOnly;
+ }
+
// --------------------------------------------------------- Public Methods
Modified:
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/ServerCookie.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/ServerCookie.java?rev=749019&r1=749018&r2=749019&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/ServerCookie.java
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/ServerCookie.java Sun
Mar 1 12:47:54 2009
@@ -275,7 +275,8 @@
String domain,
String comment,
int maxAge,
- boolean isSecure )
+ boolean isSecure,
+ boolean isHttpOnly)
{
StringBuffer buf = new StringBuffer();
// Servlet implementation checks name
@@ -343,6 +344,10 @@
buf.append ("; Secure");
}
+ // HttpOnly
+ if (isHttpOnly) {
+ buf.append("; HttpOnly");
+ }
headerBuf.append(buf);
}
Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=749019&r1=749018&r2=749019&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Sun Mar 1 12:47:54 2009
@@ -272,6 +272,10 @@
<bug>46606</bug>: Make the max DEPTH for a WebDAV request configurable.
The default is still 3. (markt)
</fix>
+ <add>
+ <bug>44382</bug>: Add support for using httpOnly for session cookies.
+ This is disabled by default. (markt)
+ </add>
</changelog>
</subsection>
<subsection name="Coyote">
Modified: tomcat/tc6.0.x/trunk/webapps/docs/config/manager.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/config/manager.xml?rev=749019&r1=749018&r2=749019&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/config/manager.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/config/manager.xml Sun Mar 1 12:47:54
2009
@@ -157,6 +157,12 @@
The default is 16.</p>
</attribute>
+ <attribute name="useHttpOnly" required="false">
+ <p>Should the HttpOnly flag be set on session cookies to prevent client
+ side script from accessing the session ID? Defaults to
+ <code>false</code>.</p>
+ </attribute>
+
</attributes>
<h3>Persistent Manager Implementation</h3>
@@ -264,6 +270,12 @@
The default is 16.</p>
</attribute>
+ <attribute name="useHttpOnly" required="false">
+ <p>Should the HttpOnly flag be set on session cookies to prevent client
+ side script from accessing the session ID? Defaults to
+ <code>true</code>.</p>
+ </attribute>
+
</attributes>
<p>In order to successfully use a PersistentManager, you must nest inside
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
