DO NOT REPLY [Bug 47554] New: o.a.c.h.s.JvmRouteBinderValve doesn't set HttpOnly flag to session Cookie.

Tue, 21 Jul 2009 03:17:11 -0700 

https://issues.apache.org/bugzilla/show_bug.cgi?id=47554

           Summary: o.a.c.h.s.JvmRouteBinderValve doesn't set HttpOnly
                    flag to session Cookie.
           Product: Tomcat 6
           Version: 6.0.20
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Cluster
        AssignedTo: [email protected]
        ReportedBy: [email protected]


When session ID is changed with o.a.c.h.s.JvmRouteBinderValve, 
HttpOnly flag is not set to the session cookie newly made.

The cause is in the following
o.a.c.h.s.JvmRouteBinderValve#setNewSessionCookie's codes. 

protected void setNewSessionCookie(Request request,
        Response response, String sessionId) {
    if (response != null) {
        Context context = request.getContext();
        if (context.getCookies()) {
            // set a new session cookie
            Cookie newCookie = new Cookie(Globals.SESSION_COOKIE_NAME,
                    sessionId);
            newCookie.setMaxAge(-1);
            String contextPath = null;
            if (!response.getConnector().getEmptySessionPath()
                    && (context != null)) {
                contextPath = context.getEncodedPath();
            }
            if ((contextPath != null) && (contextPath.length() > 0)) {
                newCookie.setPath(contextPath);
            } else {
                newCookie.setPath("/");
            }
            if (request.isSecure()) {
                newCookie.setSecure(true);
            }
            if (log.isDebugEnabled()) {
                log.debug(sm.getString("jvmRoute.newSessionCookie",
                        sessionId, Globals.SESSION_COOKIE_NAME, newCookie
                                .getPath(), new Boolean(newCookie
                                .getSecure())));
            }
            response.addCookie(newCookie);
        }
    }
}

HttpOnly flag is never set to Cookie regardless of the value of
context.getUseHttpOnly().
When context.getUseHttpOnly() is set to true, it is necessary to set HttpOnly
to Cookie. 

I made two patches.

The first is a patch for Tomcat6(tomcat/tc6.0.x/trunk/).
This patch uses response.addCookieInternal(Cookie, boolean).

The second is a patch for Tomcat7 or later (tomcat/trunk/).
This patch uses javax.servlet.SessionCookieConfig.
(It has not been implemented yet now ? I tried to make a patch.)
It is similar to org.apache.catalina.connector.Request#configureSessionCookie.

Best regards.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to