xwiki

Vincent Massol Wed, 05 May 2010 01:15:22 -0700

On May 4, 2010, at 10:50 PM, sdumitriu (SVN) wrote:

> Author: sdumitriu
> Date: 2010-05-04 22:50:34 +0200 (Tue, 04 May 2010)
> New Revision: 28709
> 
> Modified:
>   
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/impl/xwiki/MyPersistentLoginManager.java
> Log:
> XWIKI-5156: Session cookies are not marked as HttpOnly
> Fixed
> 
> Modified: 
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/impl/xwiki/MyPersistentLoginManager.java
> ===================================================================
> --- 
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/impl/xwiki/MyPersistentLoginManager.java
>   2010-05-04 20:50:00 UTC (rev 28708)
> +++ 
> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/impl/xwiki/MyPersistentLoginManager.java
>   2010-05-04 20:50:34 UTC (rev 28709)
> @@ -245,7 +245,31 @@
>             LOG.debug("Adding cookie: " + cookie.getDomain() + 
> cookie.getPath() + " " + cookie.getName() + "="
>                 + cookie.getValue());
>         }
> -        response.addCookie(cookie);
> +        // We don't use the container's response.addCookie, since the 
> HttpOnly cookie flag was introduced only recently
> +        // in the servlet specification, and we're still using the older 2.4 
> specification as a minimal requirement for
> +        // compatibility with as many containers as possible. Instead, we 
> write the cookie manually as a HTTP header.



AFAIK addCookie is avail in the the 2.3 spec:
http://java.sun.com/products/servlet/2.3/javadoc/javax/servlet/http/HttpServletResponse.html#addCookie%28javax.servlet.http.Cookie%29

Thanks
-Vincent

> +        StringBuilder cookieValue = new StringBuilder(150);
> +        cookieValue.append(cookie.getName() + "=");
> +        if (StringUtils.isNotEmpty(cookie.getValue())) {
> +            cookieValue.append("\"" + cookie.getValue() + "\"");
> +        }
> +        cookieValue.append("; Version=1");
> +        if (cookie.getMaxAge() >= 0) {
> +            cookieValue.append("; Max-Age=" + cookie.getMaxAge());
> +        } else {
> +            cookieValue.append("; Discard");
> +        }
> +        if (StringUtils.isNotEmpty(cookie.getDomain())) {
> +            // IE needs toLowerCase for the domain name
> +            cookieValue.append("; Domain=" + 
> cookie.getDomain().toLowerCase());
> +        }
> +        if (StringUtils.isNotEmpty(cookie.getPath())) {
> +            cookieValue.append("; Path=" + cookie.getPath());
> +        }
> +        // Protect cookies from being used from JavaScript, see 
> http://www.owasp.org/index.php/HttpOnly
> +        cookieValue.append("; HttpOnly");
> +
> +        response.addHeader("Set-Cookie", cookieValue.toString());
>     }
> 
>     /**

_______________________________________________
devs mailing list
[email protected]
http://lists.xwiki.org/mailman/listinfo/devs

Re: [xwiki-devs] [xwiki-notifications] r28709 - platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/impl/xwiki

Reply via email to