On May 4, 2010, at 10:50 PM, sdumitriu (SVN) wrote:
Author: sdumitriu
Date: 2010-05-04 22:50:34 +0200 (Tue, 04 May 2010)
New Revision: 28709
Modified:
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/impl/xwiki/MyPersistentLoginManager.java
Log:
XWIKI-5156: Session cookies are not marked as HttpOnly
Fixed
Modified:
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/impl/xwiki/MyPersistentLoginManager.java
===================================================================
---
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/impl/xwiki/MyPersistentLoginManager.java 2010-05-04
20:50:00 UTC (rev 28708)
+++
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/impl/xwiki/MyPersistentLoginManager.java 2010-05-04
20:50:34 UTC (rev 28709)
@@ -245,7 +245,31 @@
LOG.debug("Adding cookie: " + cookie.getDomain() +
cookie.getPath() + " " + cookie.getName() + "="
+ cookie.getValue());
}
- response.addCookie(cookie);
+ // We don't use the container's response.addCookie, since the HttpOnly
cookie flag was introduced only recently
+ // in the servlet specification, and we're still using the older 2.4
specification as a minimal requirement for
+ // compatibility with as many containers as possible. Instead, we write the
cookie manually as a HTTP header.
AFAIK addCookie is avail in the the 2.3 spec:
http://java.sun.com/products/servlet/2.3/javadoc/javax/servlet/http/HttpSer…
Yes, addCookie is (and it was used before). The problem is the Cookie
class which doesn't have a setHttpOnly in 2.3.