Re: [xwiki-devs] [xwiki-notifications] r28709 - platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/impl/xwiki

Author: sdumitriu Date: 2010-05-04 22:50:34 +0200 (Tue, 04 May 2010) New Revision: 28709 Modified: platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/impl/xwiki/MyPersistentLoginManager.java Log: XWIKI-5156: Session cookies are not marked as HttpOnly Fixed Modified: platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/impl/xwiki/MyPersistentLoginManager.java =================================================================== --- platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/impl/xwiki/MyPersistentLoginManager.java 2010-05-04 20:50:00 UTC (rev 28708) +++ platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/impl/xwiki/MyPersistentLoginManager.java 2010-05-04 20:50:34 UTC (rev 28709) @@ -245,7 +245,31 @@ LOG.debug("Adding cookie: " + cookie.getDomain() + cookie.getPath() + " " + cookie.getName() + "=" + cookie.getValue()); } - response.addCookie(cookie); + // We don't use the container's response.addCookie, since the HttpOnly cookie flag was introduced only recently + // in the servlet specification, and we're still using the older 2.4 specification as a minimal requirement for + // compatibility with as many containers as possible. Instead, we write the cookie manually as a HTTP header.