5 May
2010
5 May
'10
7:40 p.m.
On May 5, 2010, at 7:22 PM, Sergiu Dumitriu wrote:
On 05/05/2010 10:13 AM, Vincent Massol wrote:
ok I misread. Couldn't you still use addCookie but call Cookie.getValue() add the
httpOnly value to it and call setValue() to set it instead?
Thanks
-Vincent
On May 4, 2010, at 10:50 PM, sdumitriu (SVN) wrote:
Yes, addCookie is (and it was used before). The problem is the Cookie
class which doesn't have a setHttpOnly in 2.3. Author: sdumitriu
Date: 2010-05-04 22:50:34 +0200 (Tue, 04 May 2010)
New Revision: 28709
Modified:
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/impl/xwiki/MyPersistentLoginManager.java
Log:
XWIKI-5156: Session cookies are not marked as HttpOnly
Fixed
Modified:
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/impl/xwiki/MyPersistentLoginManager.java
===================================================================
---
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/impl/xwiki/MyPersistentLoginManager.java 2010-05-04
20:50:00 UTC (rev 28708)
+++
platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/impl/xwiki/MyPersistentLoginManager.java 2010-05-04
20:50:34 UTC (rev 28709)
@@ -245,7 +245,31 @@
LOG.debug("Adding cookie: " + cookie.getDomain() + cookie.getPath()
+ " " + cookie.getName() + "="
+ cookie.getValue());
}
- response.addCookie(cookie);
+ // We don't use the container's response.addCookie, since the HttpOnly
cookie flag was introduced only recently
+ // in the servlet specification, and we're still using the older 2.4
specification as a minimal requirement for
+ // compatibility with as many containers as possible. Instead, we write the
cookie manually as a HTTP header.
AFAIK addCookie is avail in the the 2.3 spec:
http://java.sun.com/products/servlet/2.3/javadoc/javax/servlet/http/HttpSer…
> Thanks
> -Vincent
>
>> + StringBuilder cookieValue = new StringBuilder(150);
>> + cookieValue.append(cookie.getName() + "=");
>> + if (StringUtils.isNotEmpty(cookie.getValue())) {
>> + cookieValue.append("\"" + cookie.getValue() +
"\"");
>> + }
>> + cookieValue.append("; Version=1");
>> + if (cookie.getMaxAge()>= 0) {
>> + cookieValue.append("; Max-Age=" + cookie.getMaxAge());
>> + } else {
>> + cookieValue.append("; Discard");
>> + }
>> + if (StringUtils.isNotEmpty(cookie.getDomain())) {
>> + // IE needs toLowerCase for the domain name
>> + cookieValue.append("; Domain=" +
cookie.getDomain().toLowerCase());
>> + }
>> + if (StringUtils.isNotEmpty(cookie.getPath())) {
>> + cookieValue.append("; Path=" + cookie.getPath());
>> + }
>> + // Protect cookies from being used from JavaScript, see
http://www.owasp.org/index.php/HttpOnly
>> + cookieValue.append("; HttpOnly");
>> +
>> + response.addHeader("Set-Cookie", cookieValue.toString());
>> }
>>
>> /**