Re: [xwiki-devs] [xwiki-notifications] r28709 - platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/impl/xwiki

5 May 2010

On May 4, 2010, at 10:50 PM, sdumitriu (SVN) wrote:

...
  Author: sdumitriu
 Date: 2010-05-04 22:50:34 +0200 (Tue, 04 May 2010)
 New Revision: 28709

 Modified:

platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/impl/xwiki/MyPersistentLoginManager.java
 Log:
 XWIKI-5156: Session cookies are not marked as HttpOnly
 Fixed

 Modified:
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/impl/xwiki/MyPersistentLoginManager.java
 ===================================================================
 ---
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/impl/xwiki/MyPersistentLoginManager.java	2010-05-04
20:50:00 UTC (rev 28708)
 +++
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/impl/xwiki/MyPersistentLoginManager.java	2010-05-04
20:50:34 UTC (rev 28709)
 @@ -245,7 +245,31 @@
             LOG.debug("Adding cookie: " + cookie.getDomain() + cookie.getPath()
+ " " + cookie.getName() + "="
                 + cookie.getValue());
         }
 -        response.addCookie(cookie);
 +        // We don't use the container's response.addCookie, since the HttpOnly
cookie flag was introduced only recently
 +        // in the servlet specification, and we're still using the older 2.4
specification as a minimal requirement for
 +        // compatibility with as many containers as possible. Instead, we write the
cookie manually as a HTTP header. 

AFAIK addCookie is avail in the the 2.3 spec:
http://java.sun.com/products/servlet/2.3/javadoc/javax/servlet/http/HttpSer…

Thanks
-Vincent

...
  +        StringBuilder cookieValue = new
StringBuilder(150);
 +        cookieValue.append(cookie.getName() + "=");
 +        if (StringUtils.isNotEmpty(cookie.getValue())) {
 +            cookieValue.append("\"" + cookie.getValue() +
"\"");
 +        }
 +        cookieValue.append("; Version=1");
 +        if (cookie.getMaxAge() >= 0) {
 +            cookieValue.append("; Max-Age=" + cookie.getMaxAge());
 +        } else {
 +            cookieValue.append("; Discard");
 +        }
 +        if (StringUtils.isNotEmpty(cookie.getDomain())) {
 +            // IE needs toLowerCase for the domain name
 +            cookieValue.append("; Domain=" +
cookie.getDomain().toLowerCase());
 +        }
 +        if (StringUtils.isNotEmpty(cookie.getPath())) {
 +            cookieValue.append("; Path=" + cookie.getPath());
 +        }
 +        // Protect cookies from being used from JavaScript, see
http://www.owasp.org/index.php/HttpOnly
 +        cookieValue.append("; HttpOnly");
 +
 +        response.addHeader("Set-Cookie", cookieValue.toString());
     }

     /** 

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

Re: [xwiki-devs] [xwiki-notifications] r28709 - platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/impl/xwiki