xwiki

Sergiu Dumitriu Wed, 05 May 2010 10:31:33 -0700

On 05/05/2010 10:13 AM, Vincent Massol wrote:
>
> On May 4, 2010, at 10:50 PM, sdumitriu (SVN) wrote:
>
>> Author: sdumitriu
>> Date: 2010-05-04 22:50:34 +0200 (Tue, 04 May 2010)
>> New Revision: 28709
>>
>> Modified:
>>    
>> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/impl/xwiki/MyPersistentLoginManager.java
>> Log:
>> XWIKI-5156: Session cookies are not marked as HttpOnly
>> Fixed
>>
>> Modified: 
>> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/impl/xwiki/MyPersistentLoginManager.java
>> ===================================================================
>> --- 
>> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/impl/xwiki/MyPersistentLoginManager.java
>>  2010-05-04 20:50:00 UTC (rev 28708)
>> +++ 
>> platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/impl/xwiki/MyPersistentLoginManager.java
>>  2010-05-04 20:50:34 UTC (rev 28709)
>> @@ -245,7 +245,31 @@
>>              LOG.debug("Adding cookie: " + cookie.getDomain() + 
>> cookie.getPath() + " " + cookie.getName() + "="
>>                  + cookie.getValue());
>>          }
>> -        response.addCookie(cookie);
>> +        // We don't use the container's response.addCookie, since the 
>> HttpOnly cookie flag was introduced only recently
>> +        // in the servlet specification, and we're still using the older 
>> 2.4 specification as a minimal requirement for
>> +        // compatibility with as many containers as possible. Instead, we 
>> write the cookie manually as a HTTP header.
>
>
> AFAIK addCookie is avail in the the 2.3 spec:
> http://java.sun.com/products/servlet/2.3/javadoc/javax/servlet/http/HttpServletResponse.html#addCookie%28javax.servlet.http.Cookie%29


Yes, addCookie is (and it was used before). The problem is the Cookie 
class which doesn't have a setHttpOnly in 2.3.

> Thanks
> -Vincent
>
>> +        StringBuilder cookieValue = new StringBuilder(150);
>> +        cookieValue.append(cookie.getName() + "=");
>> +        if (StringUtils.isNotEmpty(cookie.getValue())) {
>> +            cookieValue.append("\"" + cookie.getValue() + "\"");
>> +        }
>> +        cookieValue.append("; Version=1");
>> +        if (cookie.getMaxAge()>= 0) {
>> +            cookieValue.append("; Max-Age=" + cookie.getMaxAge());
>> +        } else {
>> +            cookieValue.append("; Discard");
>> +        }
>> +        if (StringUtils.isNotEmpty(cookie.getDomain())) {
>> +            // IE needs toLowerCase for the domain name
>> +            cookieValue.append("; Domain=" + 
>> cookie.getDomain().toLowerCase());
>> +        }
>> +        if (StringUtils.isNotEmpty(cookie.getPath())) {
>> +            cookieValue.append("; Path=" + cookie.getPath());
>> +        }
>> +        // Protect cookies from being used from JavaScript, see 
>> http://www.owasp.org/index.php/HttpOnly
>> +        cookieValue.append("; HttpOnly");
>> +
>> +        response.addHeader("Set-Cookie", cookieValue.toString());
>>      }
>>
>>      /**


-- 
Sergiu Dumitriu
http://purl.org/net/sergiu/
_______________________________________________
devs mailing list
[email protected]
http://lists.xwiki.org/mailman/listinfo/devs

Re: [xwiki-devs] [xwiki-notifications] r28709 - platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/impl/xwiki

Reply via email to