[jira] [Commented] (DRILL-6466) Add httpOnly flag for response cookies

Tue, 05 Jun 2018 10:52:21 -0700 


    [ 
https://issues.apache.org/jira/browse/DRILL-6466?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16502198#comment-16502198
 ] 

ASF GitHub Bot commented on DRILL-6466:
---------------------------------------

sohami commented on a change in pull request #1304: DRILL-6466: Add httpOnly 
flag to response cookies
URL: https://github.com/apache/drill/pull/1304#discussion_r193163937
 
 

 ##########
 File path: 
exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/WebServer.java
 ##########
 @@ -217,6 +218,8 @@ private ServletContextHandler 
createServletContextHandler(final boolean authEnab
       //DrillSecurityHandler is used to support SPNEGO and FORM authentication 
together
       servletContextHandler.setSecurityHandler(new 
DrillHttpSecurityHandlerProvider(config, workManager.getContext()));
       
servletContextHandler.setSessionHandler(createSessionHandler(servletContextHandler.getSecurityHandler()));
+      SessionCookieConfig sessionCookieConfig = 
servletContextHandler.getServletContext().getSessionCookieConfig();
+      sessionCookieConfig.setHttpOnly(true);
 
 Review comment:
   I would recommend to move this logic inside `createSessionHandler()` as 
below:
   
   `sessionManager.getSessionCookieConfig().setHttpOnly(true);`

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


> Add httpOnly flag for response cookies
> --------------------------------------
>
>                 Key: DRILL-6466
>                 URL: https://issues.apache.org/jira/browse/DRILL-6466
>             Project: Apache Drill
>          Issue Type: Improvement
>    Affects Versions: 1.13.0
>            Reporter: Arina Ielchiieva
>            Assignee: Arina Ielchiieva
>            Priority: Minor
>             Fix For: 1.14.0
>
>         Attachments: httpOnly.JPG
>
>
> Add httpOnly flag to response cookies.
> {quote}
> When you tag a cookie with the HttpOnly flag, it tells the browser that this 
> particular cookie should only be accessed by the server. Any attempt to 
> access the cookie from client script is strictly forbidden. HttpOnly cookies 
> make huge classes of common XSS attacks much harder to pull off. 
> {quote}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to