This is an automated email from the ASF dual-hosted git repository. rombert pushed a commit to annotated tag org.apache.sling.auth.form-1.0.2 in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-auth-form.git
commit bfe05c2895d9b9376ba4f46795305ab74b9c47e7 Author: Felix Meschberger <[email protected]> AuthorDate: Mon Sep 13 14:07:31 2010 +0000 SLING-1762 Add the HttpOnly attribute to setting the authentication cookie to make sure the cookie is not available to client side JavaScript. Also, when extracting the authentication data from the cookie ignore empty values. git-svn-id: https://svn.apache.org/repos/asf/sling/trunk/bundles/auth/form@996543 13f79535-47bb-0310-9956-ffa450edef68 --- .../auth/form/impl/FormAuthenticationHandler.java | 60 +++++++++++++++++----- 1 file changed, 46 insertions(+), 14 deletions(-) diff --git a/src/main/java/org/apache/sling/auth/form/impl/FormAuthenticationHandler.java b/src/main/java/org/apache/sling/auth/form/impl/FormAuthenticationHandler.java index 7f8a5ca..8865eab 100644 --- a/src/main/java/org/apache/sling/auth/form/impl/FormAuthenticationHandler.java +++ b/src/main/java/org/apache/sling/auth/form/impl/FormAuthenticationHandler.java @@ -891,6 +891,15 @@ public class FormAuthenticationHandler extends AbstractAuthenticationHandler { * {@link CookieAuthData} in an HTTP Cookie. */ private static class CookieStorage implements AuthenticationStorage { + + /** + * The Set-Cookie header used to manage the login cookie. + * + * @see CookieStorage#setCookie(HttpServletRequest, HttpServletResponse, + * String, String, int, String) + */ + private static final String HEADER_SET_COOKIE = "Set-Cookie"; + private final String cookieName; private final String domainCookieName; private final String defaultCookieDomain; @@ -907,15 +916,15 @@ public class FormAuthenticationHandler extends AbstractAuthenticationHandler { for (Cookie cookie : cookies) { if (this.cookieName.equals(cookie.getName())) { // found the cookie, so try to extract the credentials - // from it + // from it and reverse the base64 encoding String value = cookie.getValue(); - - // reverse the base64 encoding - try { - return new String(Base64.decodeBase64(value), - "UTF-8"); - } catch (UnsupportedEncodingException e1) { - throw new RuntimeException(e1); + if (value.length() > 0) { + try { + return new String(Base64.decodeBase64(value), + "UTF-8"); + } catch (UnsupportedEncodingException e1) { + throw new RuntimeException(e1); + } } } } @@ -983,14 +992,37 @@ public class FormAuthenticationHandler extends AbstractAuthenticationHandler { ? "/" : ctxPath; - Cookie cookie = new Cookie(name, value); + /* + * The Servlet Spec 2.5 does not allow us to set the commonly used + * HttpOnly attribute on cookies (Servlet API 3.0 does) so we create + * the Set-Cookie header manually. See + * http://www.owasp.org/index.php/HttpOnly for information on what + * the HttpOnly attribute is used for. + */ + + final StringBuilder header = new StringBuilder(); + + // default setup with name, value, cookie path and HttpOnly + header.append(name).append('=').append(value); + header.append(";Path=").append(cookiePath); + header.append(";HttpOnly"); // don't allow JS access + + // set the cookie domain if so configured if (domain != null) { - cookie.setDomain(domain); + header.append(";Domain=").append(domain); + } + + // Only set the Max-Age attribute to remove the cookie + if (age == 0) { + header.append(";Max-Age=").append(age); } - cookie.setMaxAge(age); - cookie.setPath(cookiePath); - cookie.setSecure(request.isSecure()); - response.addCookie(cookie); + + // ensure the cookie is secured if this is an https request + if (request.isSecure()) { + header.append(";Secure"); + } + + response.addHeader(HEADER_SET_COOKIE, header.toString()); } } -- To stop receiving notification emails like this one, please contact "[email protected]" <[email protected]>.
