Author: markt
Date: Fri Mar 6 14:34:44 2009
New Revision: 750918
URL: http://svn.apache.org/viewvc?rev=750918&view=rev
Log:
UseHttpOnly is a cookie attribute. Our Manager is cookie agnostic, hence the
attribute might serve a better purpose being implemented at the Context level.
This also allows people to configure it globally in conf/context.xml.
Port of fhank's patch from trunk
Modified:
tomcat/tc6.0.x/trunk/STATUS.txt
tomcat/tc6.0.x/trunk/java/org/apache/catalina/Context.java
tomcat/tc6.0.x/trunk/java/org/apache/catalina/Manager.java
tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java
tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/StandardContext.java
tomcat/tc6.0.x/trunk/java/org/apache/catalina/session/ManagerBase.java
tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
tomcat/tc6.0.x/trunk/webapps/docs/config/context.xml
tomcat/tc6.0.x/trunk/webapps/docs/config/manager.xml
Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=750918&r1=750917&r2=750918&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Fri Mar 6 14:34:44 2009
@@ -95,14 +95,6 @@
code a warning that it won't be there in the next version.
-1:
-* UseHttpOnly is a cookie attribute. Our Manager is cookie agnostic, hence the
attribute might
- serve a better purpose being implemented at the Context level
- http://people.apache.org/~fhanik/tomcat/useHttpOnly.patch
- This also allows people to configure it globally in conf/context.xml without
automatically
- setting the default manager class
- +1: fhanik, markt, jim
- -1:
-
* Make the LOGGING_CONFIG variable a variable that one can set outside or in
setenv.sh to override the default tomcat logging mechanism
with a custom extension or a different location of the logging.properties
file or both
http://svn.apache.org/viewvc?rev=750258&view=rev
Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/Context.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/Context.java?rev=750918&r1=750917&r2=750918&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/Context.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/Context.java Fri Mar 6
14:34:44 2009
@@ -181,8 +181,24 @@
*/
public void setCookies(boolean cookies);
+ /**
+ * Gets the value of the use HttpOnly cookies for session cookies flag.
+ *
+ * @return <code>true</code> if the HttpOnly flag should be set on session
+ * cookies
+ */
+ public boolean getUseHttpOnly();
+
/**
+ * Sets the use HttpOnly cookies for session cookies flag.
+ *
+ * @param useHttpOnly Set to <code>true</code> to use HttpOnly cookies
+ * for session cookies
+ */
+ public void setUseHttpOnly(boolean useHttpOnly);
+
+ /**
* Return the "allow crossing servlet contexts" flag.
*/
public boolean getCrossContext();
Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/Manager.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/Manager.java?rev=750918&r1=750917&r2=750918&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/Manager.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/Manager.java Fri Mar 6
14:34:44 2009
@@ -240,24 +240,6 @@
public void setSessionAverageAliveTime(int sessionAverageAliveTime);
- /**
- * Gets the value of the use HttpOnly cookies for session cookies flag.
- *
- * @return <code>true</code> if the HttpOnly flag should be set on session
- * cookies
- */
- public boolean getUseHttpOnly();
-
-
- /**
- * Sets the use HttpOnly cookies for session cookies flag.
- *
- * @param useHttpOnly Set to <code>true</code> to use HttpOnly cookies
- * for session cookies
- */
- public void setUseHttpOnly(boolean useHttpOnly);
-
-
// --------------------------------------------------------- Public Methods
Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java?rev=750918&r1=750917&r2=750918&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java Fri
Mar 6 14:34:44 2009
@@ -2330,7 +2330,7 @@
Cookie cookie = new Cookie(Globals.SESSION_COOKIE_NAME,
session.getIdInternal());
configureSessionCookie(cookie);
- response.addCookieInternal(cookie, manager.getUseHttpOnly());
+ response.addCookieInternal(cookie, context.getUseHttpOnly());
}
if (session != null) {
Modified:
tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/StandardContext.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/StandardContext.java?rev=750918&r1=750917&r2=750918&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/StandardContext.java
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/StandardContext.java Fri
Mar 6 14:34:44 2009
@@ -681,6 +681,10 @@
*/
private boolean saveConfig = true;
+ /**
+ * The flag that indicates that session cookies should use HttpOnly
+ */
+ private boolean useHttpOnly = false;
// ----------------------------------------------------- Context Properties
@@ -1096,6 +1100,33 @@
new Boolean(this.cookies));
}
+
+ /**
+ * Gets the value of the use HttpOnly cookies for session cookies flag.
+ *
+ * @return <code>true</code> if the HttpOnly flag should be set on session
+ * cookies
+ */
+ public boolean getUseHttpOnly() {
+ return useHttpOnly;
+ }
+
+
+ /**
+ * Sets the use HttpOnly cookies for session cookies flag.
+ *
+ * @param useHttpOnly Set to <code>true</code> to use HttpOnly cookies
+ * for session cookies
+ */
+ public void setUseHttpOnly(boolean useHttpOnly) {
+ boolean oldUseHttpOnly = this.useHttpOnly;
+ this.useHttpOnly = useHttpOnly;
+ support.firePropertyChange("useHttpOnly",
+ new Boolean(oldUseHttpOnly),
+ new Boolean(this.useHttpOnly));
+ }
+
+
/**
Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/session/ManagerBase.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/session/ManagerBase.java?rev=750918&r1=750917&r2=750918&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/session/ManagerBase.java
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/session/ManagerBase.java Fri
Mar 6 14:34:44 2009
@@ -217,11 +217,6 @@
*/
protected PropertyChangeSupport support = new PropertyChangeSupport(this);
- /**
- * The flag that indicates that session cookies should use HttpOnly
- */
- protected boolean useHttpOnly = false;
-
// ------------------------------------------------------------- Security
classes
@@ -658,28 +653,6 @@
new Integer(this.processExpiresFrequency));
}
-
- /**
- * Gets the value of the use HttpOnly cookies for session cookies flag.
- *
- * @return <code>true</code> if the HttpOnly flag should be set on session
- * cookies
- */
- public boolean getUseHttpOnly() {
- return useHttpOnly;
- }
-
-
- /**
- * Sets the use HttpOnly cookies for session cookies flag.
- *
- * @param useHttpOnly Set to <code>true</code> to use HttpOnly cookies
- * for session cookies
- */
- public void setUseHttpOnly(boolean useHttpOnly) {
- this.useHttpOnly = useHttpOnly;
- }
-
// --------------------------------------------------------- Public Methods
Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=750918&r1=750917&r2=750918&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Fri Mar 6 14:34:44 2009
@@ -286,7 +286,7 @@
</fix>
<add>
<bug>44382</bug>: Add support for using httpOnly for session cookies.
- This is disabled by default. (markt)
+ This is disabled by default. (markt/fhanik)
</add>
<fix>
Fix possible NCDFE when using FORM authentication. (jfclere)
Modified: tomcat/tc6.0.x/trunk/webapps/docs/config/context.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/config/context.xml?rev=750918&r1=750917&r2=750918&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/config/context.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/config/context.xml Fri Mar 6 14:34:44
2009
@@ -229,6 +229,13 @@
implementation class that will be used for servlets managed by this
Context. If not specified, a standard default value will be used.</p>
</attribute>
+
+ <attribute name="useHttpOnly" required="false">
+ <p>Should the HttpOnly flag be set on session cookies to prevent client
+ side script from accessing the session ID? Defaults to
+ <code>false</code>.</p>
+ </attribute>
+
</attributes>
Modified: tomcat/tc6.0.x/trunk/webapps/docs/config/manager.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/config/manager.xml?rev=750918&r1=750917&r2=750918&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/config/manager.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/config/manager.xml Fri Mar 6 14:34:44
2009
@@ -270,12 +270,6 @@
The default is 16.</p>
</attribute>
- <attribute name="useHttpOnly" required="false">
- <p>Should the HttpOnly flag be set on session cookies to prevent client
- side script from accessing the session ID? Defaults to
- <code>true</code>.</p>
- </attribute>
-
</attributes>
<p>In order to successfully use a PersistentManager, you must nest inside
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
