(drill) branch master updated: DRILL-8522: Change session cookie name. Use STRICT sameSite (#2985)

Thu, 08 May 2025 13:02:57 -0700 

This is an automated email from the ASF dual-hosted git repository.

rymarm pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/drill.git


The following commit(s) were added to refs/heads/master by this push:
     new d0b2adaaf9 DRILL-8522: Change session cookie name. Use STRICT sameSite 
(#2985)
d0b2adaaf9 is described below

commit d0b2adaaf929fd2b27d92e49fe80e6024267710d
Author: Maksym Rymar <rym...@apache.org>
AuthorDate: Thu May 8 23:02:40 2025 +0300

    DRILL-8522: Change session cookie name. Use STRICT sameSite (#2985)
---
 .../main/java/org/apache/drill/exec/server/rest/WebServer.java | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git 
a/exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/WebServer.java 
b/exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/WebServer.java
index e6f1499726..a5537e6831 100644
--- 
a/exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/WebServer.java
+++ 
b/exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/WebServer.java
@@ -42,6 +42,7 @@ import 
org.apache.drill.exec.server.rest.auth.DrillHttpSecurityHandlerProvider;
 import org.apache.drill.exec.server.rest.header.ResponseHeadersSettingFilter;
 import org.apache.drill.exec.server.rest.ssl.SslContextFactoryConfigurator;
 import org.apache.drill.exec.work.WorkManager;
+import org.eclipse.jetty.http.HttpCookie;
 import org.eclipse.jetty.http.HttpVersion;
 import org.eclipse.jetty.security.SecurityHandler;
 import org.eclipse.jetty.security.authentication.SessionAuthentication;
@@ -276,7 +277,14 @@ public class WebServer implements AutoCloseable {
     //SessionManager sessionManager = new HashSessionManager();
     
sessionHandler.setMaxInactiveInterval(config.getInt(ExecConstants.HTTP_SESSION_MAX_IDLE_SECS));
     // response cookie will be returned with HttpOnly flag
-    sessionHandler.getSessionCookieConfig().setHttpOnly(true);
+    sessionHandler.setHttpOnly(true);
+    sessionHandler.setSameSite(HttpCookie.SameSite.STRICT);
+
+    if(config.getBoolean(ExecConstants.HTTP_ENABLE_SSL)) {
+      sessionHandler.setSessionCookie("__Secure-Drill-Session-Id");
+    } else {
+      sessionHandler.setSessionCookie("Drill-Session-Id");
+    }
     sessionHandler.addEventListener(new HttpSessionListener() {
       @Override
       public void sessionCreated(HttpSessionEvent se) { }

Reply via email to