|
||||||||
|
This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira |
||||||||
You received this message because you are subscribed to the Google Groups "Jenkins Issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
For more options, visit https://groups.google.com/d/optout.
These methods have the javadoc that says the following:
I coudln't find what it means for "ServletContext ... has already been initialized".
Servlet 3.0 spec section 4.4 says the following:
... although "the following methods" do not include getSessionCookieConfig().
Based on those two data points and how Tomcat behaves, I assume the intent of the spec is that the method in question can be only called from ServletContextListener.contextInitialized().
Unfortunately, this means we can't reliably invoke the "setSecure" method, because during the initialization we do not know if Jenkins is only serving HTTPs or not. Winstone seems to accept this happily, so what I'm going to do is to call this method optimistically, but suppress IllegalStateException if we get one. Users who are running on Tomcat and other "more conforming" application containers would have to configure this by themselves through container-specific means. See this document for how to do this with Tomcat.
Fortunately, SECURITY-120 is classified as hardening and not vulnerability, and javadoc of setSecure() method alludes that if the session was created over HTTPS, then the secure cookie flag is set by default.
The code that sets HTTP-only flag can be moved into ServletContextListener.contextInitialized() to ensure it works correctly in Tomcat.