You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2008/09/13 19:39:47 UTC
svn commit: r694992 - in /tomcat/trunk: java/org/apache/catalina/
java/org/apache/catalina/connector/ java/org/apache/catalina/session/
java/org/apache/tomcat/util/http/ webapps/docs/config/
Author: markt
Date: Sat Sep 13 10:39:47 2008
New Revision: 694992
URL: http://svn.apache.org/viewvc?rev=694992&view=rev
Log:
Add HttpOnly support to session cookies. It is enabled by default and can be disabled at via manager configuration.
Based on a patch by Jim Manico.
Modified:
tomcat/trunk/java/org/apache/catalina/Manager.java
tomcat/trunk/java/org/apache/catalina/connector/Request.java
tomcat/trunk/java/org/apache/catalina/connector/Response.java
tomcat/trunk/java/org/apache/catalina/session/ManagerBase.java
tomcat/trunk/java/org/apache/tomcat/util/http/ServerCookie.java
tomcat/trunk/webapps/docs/config/manager.xml
Modified: tomcat/trunk/java/org/apache/catalina/Manager.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/Manager.java?rev=694992&r1=694991&r2=694992&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/Manager.java (original)
+++ tomcat/trunk/java/org/apache/catalina/Manager.java Sat Sep 13 10:39:47 2008
@@ -240,6 +240,24 @@
public void setSessionAverageAliveTime(int sessionAverageAliveTime);
+ /**
+ * Gets the value of the use HttpOnly cookies for session cookies flag.
+ *
+ * @return <code>true</code> if the HttpOnly flag should be set on session
+ * cookies
+ */
+ public boolean getUseHttpOnly();
+
+
+ /**
+ * Sets the use HttpOnly cookies for session cookies flag.
+ *
+ * @param useHttpOnly Set to <code>true</code> to use HttpOnly cookies
+ * for session cookies
+ */
+ public void setUseHttpOnly(boolean useHttpOnly);
+
+
// --------------------------------------------------------- Public Methods
Modified: tomcat/trunk/java/org/apache/catalina/connector/Request.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/connector/Request.java?rev=694992&r1=694991&r2=694992&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/connector/Request.java (original)
+++ tomcat/trunk/java/org/apache/catalina/connector/Request.java Sat Sep 13 10:39:47 2008
@@ -2331,7 +2331,7 @@
Cookie cookie = new Cookie(Globals.SESSION_COOKIE_NAME,
session.getIdInternal());
configureSessionCookie(cookie);
- response.addCookieInternal(cookie);
+ response.addCookieInternal(cookie, manager.getUseHttpOnly());
}
if (session != null) {
Modified: tomcat/trunk/java/org/apache/catalina/connector/Response.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/connector/Response.java?rev=694992&r1=694991&r2=694992&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/connector/Response.java (original)
+++ tomcat/trunk/java/org/apache/catalina/connector/Response.java Sat Sep 13 10:39:47 2008
@@ -954,6 +954,17 @@
* @param cookie Cookie to be added
*/
public void addCookieInternal(final Cookie cookie) {
+ addCookieInternal(cookie, false);
+ }
+
+ /**
+ * Add the specified Cookie to those that will be included with
+ * this Response.
+ *
+ * @param cookie Cookie to be added
+ * @param httpOnly Should the httpOnly falg be set on this cookie
+ */
+ public void addCookieInternal(final Cookie cookie, final boolean httpOnly) {
if (isCommitted())
return;
@@ -968,7 +979,8 @@
(sb, cookie.getVersion(), cookie.getName(),
cookie.getValue(), cookie.getPath(),
cookie.getDomain(), cookie.getComment(),
- cookie.getMaxAge(), cookie.getSecure());
+ cookie.getMaxAge(), cookie.getSecure(),
+ httpOnly);
return null;
}
});
@@ -976,7 +988,7 @@
ServerCookie.appendCookieValue
(sb, cookie.getVersion(), cookie.getName(), cookie.getValue(),
cookie.getPath(), cookie.getDomain(), cookie.getComment(),
- cookie.getMaxAge(), cookie.getSecure());
+ cookie.getMaxAge(), cookie.getSecure(), httpOnly);
}
//if we reached here, no exception, cookie is valid
// the header name is Set-Cookie for both "old" and v.1 ( RFC2109 )
Modified: tomcat/trunk/java/org/apache/catalina/session/ManagerBase.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/session/ManagerBase.java?rev=694992&r1=694991&r2=694992&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/session/ManagerBase.java (original)
+++ tomcat/trunk/java/org/apache/catalina/session/ManagerBase.java Sat Sep 13 10:39:47 2008
@@ -217,7 +217,11 @@
*/
protected PropertyChangeSupport support = new PropertyChangeSupport(this);
-
+ /**
+ * The flag that indicates that session cookies should use HttpOnly
+ */
+ protected boolean useHttpOnly = true;
+
// ------------------------------------------------------------- Security classes
@@ -655,6 +659,27 @@
}
+ /**
+ * Gets the value of the use HttpOnly cookies for session cookies flag.
+ *
+ * @return <code>true</code> if the HttpOnly flag should be set on session
+ * cookies
+ */
+ public boolean getUseHttpOnly() {
+ return useHttpOnly;
+ }
+
+
+ /**
+ * Sets the use HttpOnly cookies for session cookies flag.
+ *
+ * @param useHttpOnly Set to <code>true</code> to use HttpOnly cookies
+ * for session cookies
+ */
+ public void setUseHttpOnly(boolean useHttpOnly) {
+ this.useHttpOnly = useHttpOnly;
+ }
+
// --------------------------------------------------------- Public Methods
Modified: tomcat/trunk/java/org/apache/tomcat/util/http/ServerCookie.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/http/ServerCookie.java?rev=694992&r1=694991&r2=694992&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/http/ServerCookie.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/http/ServerCookie.java Sat Sep 13 10:39:47 2008
@@ -257,7 +257,8 @@
String domain,
String comment,
int maxAge,
- boolean isSecure )
+ boolean isSecure,
+ boolean isHttpOnly)
{
StringBuffer buf = new StringBuffer();
// Servlet implementation checks name
@@ -321,6 +322,10 @@
buf.append ("; Secure");
}
+ // HttpOnly
+ if (isHttpOnly) {
+ buf.append("; HttpOnly");
+ }
headerBuf.append(buf);
}
Modified: tomcat/trunk/webapps/docs/config/manager.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/manager.xml?rev=694992&r1=694991&r2=694992&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/manager.xml (original)
+++ tomcat/trunk/webapps/docs/config/manager.xml Sat Sep 13 10:39:47 2008
@@ -157,6 +157,12 @@
The default is 16.</p>
</attribute>
+ <attribute name="useHttpOnly" required="false">
+ <p>Should the HttpOnly flag be set on session cookies to prevent client
+ side script from accessing the session ID? Defaults to
+ <code>true</code>.</p>
+ </attribute>
+
</attributes>
<h3>Persistent Manager Implementation</h3>
@@ -264,6 +270,12 @@
The default is 16.</p>
</attribute>
+ <attribute name="useHttpOnly" required="false">
+ <p>Should the HttpOnly flag be set on session cookies to prevent client
+ side script from accessing the session ID? Defaults to
+ <code>true</code>.</p>
+ </attribute>
+
</attributes>
<p>In order to successfully use a PersistentManager, you must nest inside
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r694992 - in /tomcat/trunk: java/org/apache/catalina/
java/org/apache/catalina/connector/ java/org/apache/catalina/session/ java/org/apache/tomcat/util/http/
webapps/docs/config/
Posted by Mark Thomas <ma...@apache.org>.
Filip Hanik - Dev Lists wrote:
> should the default be false, to mimic previous behavior?
For trunk I would argue not. For 6.0.x and 5.5.x I also favour enabled by
default but you can vote either way and I'll only commit enabled if it gets
enough votes.
Mark
>
> Filip
>
> markt@apache.org wrote:
>> Author: markt
>> Date: Sat Sep 13 10:39:47 2008
>> New Revision: 694992
>>
>> URL: http://svn.apache.org/viewvc?rev=694992&view=rev
>> Log:
>> Add HttpOnly support to session cookies. It is enabled by default and
>> can be disabled at via manager configuration.
>> Based on a patch by Jim Manico.
>>
>> Modified:
>> tomcat/trunk/java/org/apache/catalina/Manager.java
>> tomcat/trunk/java/org/apache/catalina/connector/Request.java
>> tomcat/trunk/java/org/apache/catalina/connector/Response.java
>> tomcat/trunk/java/org/apache/catalina/session/ManagerBase.java
>> tomcat/trunk/java/org/apache/tomcat/util/http/ServerCookie.java
>> tomcat/trunk/webapps/docs/config/manager.xml
>>
>> Modified: tomcat/trunk/java/org/apache/catalina/Manager.java
>> URL:
>> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/Manager.java?rev=694992&r1=694991&r2=694992&view=diff
>>
>> ==============================================================================
>>
>> --- tomcat/trunk/java/org/apache/catalina/Manager.java (original)
>> +++ tomcat/trunk/java/org/apache/catalina/Manager.java Sat Sep 13
>> 10:39:47 2008
>> @@ -240,6 +240,24 @@
>> public void setSessionAverageAliveTime(int sessionAverageAliveTime);
>>
>>
>> + /**
>> + * Gets the value of the use HttpOnly cookies for session cookies
>> flag.
>> + * + * @return <code>true</code> if the HttpOnly flag should
>> be set on session
>> + * cookies
>> + */
>> + public boolean getUseHttpOnly();
>> +
>> +
>> + /**
>> + * Sets the use HttpOnly cookies for session cookies flag.
>> + * + * @param useHttpOnly Set to <code>true</code> to use
>> HttpOnly cookies
>> + * for session cookies
>> + */
>> + public void setUseHttpOnly(boolean useHttpOnly);
>> +
>> +
>> // ---------------------------------------------------------
>> Public Methods
>>
>>
>>
>> Modified: tomcat/trunk/java/org/apache/catalina/connector/Request.java
>> URL:
>> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/connector/Request.java?rev=694992&r1=694991&r2=694992&view=diff
>>
>> ==============================================================================
>>
>> --- tomcat/trunk/java/org/apache/catalina/connector/Request.java
>> (original)
>> +++ tomcat/trunk/java/org/apache/catalina/connector/Request.java Sat
>> Sep 13 10:39:47 2008
>> @@ -2331,7 +2331,7 @@
>> Cookie cookie = new Cookie(Globals.SESSION_COOKIE_NAME,
>> session.getIdInternal());
>> configureSessionCookie(cookie);
>> - response.addCookieInternal(cookie);
>> + response.addCookieInternal(cookie,
>> manager.getUseHttpOnly());
>> }
>>
>> if (session != null) {
>>
>> Modified: tomcat/trunk/java/org/apache/catalina/connector/Response.java
>> URL:
>> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/connector/Response.java?rev=694992&r1=694991&r2=694992&view=diff
>>
>> ==============================================================================
>>
>> --- tomcat/trunk/java/org/apache/catalina/connector/Response.java
>> (original)
>> +++ tomcat/trunk/java/org/apache/catalina/connector/Response.java Sat
>> Sep 13 10:39:47 2008
>> @@ -954,6 +954,17 @@
>> * @param cookie Cookie to be added
>> */
>> public void addCookieInternal(final Cookie cookie) {
>> + addCookieInternal(cookie, false);
>> + }
>> +
>> + /**
>> + * Add the specified Cookie to those that will be included with
>> + * this Response.
>> + *
>> + * @param cookie Cookie to be added
>> + * @param httpOnly Should the httpOnly falg be set on this cookie
>> + */
>> + public void addCookieInternal(final Cookie cookie, final boolean
>> httpOnly) {
>>
>> if (isCommitted())
>> return;
>> @@ -968,7 +979,8 @@
>> (sb, cookie.getVersion(), cookie.getName(),
>> cookie.getValue(), cookie.getPath(),
>> cookie.getDomain(), cookie.getComment(),
>> - cookie.getMaxAge(), cookie.getSecure());
>> + cookie.getMaxAge(), cookie.getSecure(),
>> + httpOnly);
>> return null;
>> }
>> });
>> @@ -976,7 +988,7 @@
>> ServerCookie.appendCookieValue
>> (sb, cookie.getVersion(), cookie.getName(),
>> cookie.getValue(),
>> cookie.getPath(), cookie.getDomain(),
>> cookie.getComment(), - cookie.getMaxAge(),
>> cookie.getSecure());
>> + cookie.getMaxAge(), cookie.getSecure(), httpOnly);
>> }
>> //if we reached here, no exception, cookie is valid
>> // the header name is Set-Cookie for both "old" and v.1 (
>> RFC2109 )
>>
>> Modified: tomcat/trunk/java/org/apache/catalina/session/ManagerBase.java
>> URL:
>> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/session/ManagerBase.java?rev=694992&r1=694991&r2=694992&view=diff
>>
>> ==============================================================================
>>
>> --- tomcat/trunk/java/org/apache/catalina/session/ManagerBase.java
>> (original)
>> +++ tomcat/trunk/java/org/apache/catalina/session/ManagerBase.java Sat
>> Sep 13 10:39:47 2008
>> @@ -217,7 +217,11 @@
>> */
>> protected PropertyChangeSupport support = new
>> PropertyChangeSupport(this);
>> - + /**
>> + * The flag that indicates that session cookies should use HttpOnly
>> + */
>> + protected boolean useHttpOnly = true;
>> +
>> // -------------------------------------------------------------
>> Security classes
>>
>>
>> @@ -655,6 +659,27 @@
>>
>> }
>>
>> + /**
>> + * Gets the value of the use HttpOnly cookies for session cookies
>> flag.
>> + * + * @return <code>true</code> if the HttpOnly flag should
>> be set on session
>> + * cookies
>> + */
>> + public boolean getUseHttpOnly() {
>> + return useHttpOnly;
>> + }
>> +
>> +
>> + /**
>> + * Sets the use HttpOnly cookies for session cookies flag.
>> + * + * @param useHttpOnly Set to <code>true</code> to use
>> HttpOnly cookies
>> + * for session cookies
>> + */
>> + public void setUseHttpOnly(boolean useHttpOnly) {
>> + this.useHttpOnly = useHttpOnly;
>> + }
>> + // ---------------------------------------------------------
>> Public Methods
>>
>>
>>
>> Modified: tomcat/trunk/java/org/apache/tomcat/util/http/ServerCookie.java
>> URL:
>> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/http/ServerCookie.java?rev=694992&r1=694991&r2=694992&view=diff
>>
>> ==============================================================================
>>
>> --- tomcat/trunk/java/org/apache/tomcat/util/http/ServerCookie.java
>> (original)
>> +++ tomcat/trunk/java/org/apache/tomcat/util/http/ServerCookie.java
>> Sat Sep 13 10:39:47 2008
>> @@ -257,7 +257,8 @@
>> String domain,
>> String comment,
>> int maxAge,
>> - boolean isSecure )
>> + boolean isSecure,
>> + boolean isHttpOnly)
>> {
>> StringBuffer buf = new StringBuffer();
>> // Servlet implementation checks name
>> @@ -321,6 +322,10 @@
>> buf.append ("; Secure");
>> }
>> + // HttpOnly
>> + if (isHttpOnly) {
>> + buf.append("; HttpOnly");
>> + }
>> headerBuf.append(buf);
>> }
>>
>>
>> Modified: tomcat/trunk/webapps/docs/config/manager.xml
>> URL:
>> http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/manager.xml?rev=694992&r1=694991&r2=694992&view=diff
>>
>> ==============================================================================
>>
>> --- tomcat/trunk/webapps/docs/config/manager.xml (original)
>> +++ tomcat/trunk/webapps/docs/config/manager.xml Sat Sep 13 10:39:47 2008
>> @@ -157,6 +157,12 @@
>> The default is 16.</p>
>> </attribute>
>>
>> + <attribute name="useHttpOnly" required="false">
>> + <p>Should the HttpOnly flag be set on session cookies to
>> prevent client
>> + side script from accessing the session ID? Defaults to
>> + <code>true</code>.</p>
>> + </attribute>
>> +
>> </attributes>
>>
>> <h3>Persistent Manager Implementation</h3>
>> @@ -264,6 +270,12 @@
>> The default is 16.</p>
>> </attribute>
>>
>> + <attribute name="useHttpOnly" required="false">
>> + <p>Should the HttpOnly flag be set on session cookies to
>> prevent client
>> + side script from accessing the session ID? Defaults to
>> + <code>true</code>.</p>
>> + </attribute>
>> +
>> </attributes>
>>
>> <p>In order to successfully use a PersistentManager, you must
>> nest inside
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r694992 - in /tomcat/trunk: java/org/apache/catalina/
java/org/apache/catalina/connector/ java/org/apache/catalina/session/ java/org/apache/tomcat/util/http/
webapps/docs/config/
Posted by Filip Hanik - Dev Lists <de...@hanik.com>.
should the default be false, to mimic previous behavior?
Filip
markt@apache.org wrote:
> Author: markt
> Date: Sat Sep 13 10:39:47 2008
> New Revision: 694992
>
> URL: http://svn.apache.org/viewvc?rev=694992&view=rev
> Log:
> Add HttpOnly support to session cookies. It is enabled by default and can be disabled at via manager configuration.
> Based on a patch by Jim Manico.
>
> Modified:
> tomcat/trunk/java/org/apache/catalina/Manager.java
> tomcat/trunk/java/org/apache/catalina/connector/Request.java
> tomcat/trunk/java/org/apache/catalina/connector/Response.java
> tomcat/trunk/java/org/apache/catalina/session/ManagerBase.java
> tomcat/trunk/java/org/apache/tomcat/util/http/ServerCookie.java
> tomcat/trunk/webapps/docs/config/manager.xml
>
> Modified: tomcat/trunk/java/org/apache/catalina/Manager.java
> URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/Manager.java?rev=694992&r1=694991&r2=694992&view=diff
> ==============================================================================
> --- tomcat/trunk/java/org/apache/catalina/Manager.java (original)
> +++ tomcat/trunk/java/org/apache/catalina/Manager.java Sat Sep 13 10:39:47 2008
> @@ -240,6 +240,24 @@
> public void setSessionAverageAliveTime(int sessionAverageAliveTime);
>
>
> + /**
> + * Gets the value of the use HttpOnly cookies for session cookies flag.
> + *
> + * @return <code>true</code> if the HttpOnly flag should be set on session
> + * cookies
> + */
> + public boolean getUseHttpOnly();
> +
> +
> + /**
> + * Sets the use HttpOnly cookies for session cookies flag.
> + *
> + * @param useHttpOnly Set to <code>true</code> to use HttpOnly cookies
> + * for session cookies
> + */
> + public void setUseHttpOnly(boolean useHttpOnly);
> +
> +
> // --------------------------------------------------------- Public Methods
>
>
>
> Modified: tomcat/trunk/java/org/apache/catalina/connector/Request.java
> URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/connector/Request.java?rev=694992&r1=694991&r2=694992&view=diff
> ==============================================================================
> --- tomcat/trunk/java/org/apache/catalina/connector/Request.java (original)
> +++ tomcat/trunk/java/org/apache/catalina/connector/Request.java Sat Sep 13 10:39:47 2008
> @@ -2331,7 +2331,7 @@
> Cookie cookie = new Cookie(Globals.SESSION_COOKIE_NAME,
> session.getIdInternal());
> configureSessionCookie(cookie);
> - response.addCookieInternal(cookie);
> + response.addCookieInternal(cookie, manager.getUseHttpOnly());
> }
>
> if (session != null) {
>
> Modified: tomcat/trunk/java/org/apache/catalina/connector/Response.java
> URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/connector/Response.java?rev=694992&r1=694991&r2=694992&view=diff
> ==============================================================================
> --- tomcat/trunk/java/org/apache/catalina/connector/Response.java (original)
> +++ tomcat/trunk/java/org/apache/catalina/connector/Response.java Sat Sep 13 10:39:47 2008
> @@ -954,6 +954,17 @@
> * @param cookie Cookie to be added
> */
> public void addCookieInternal(final Cookie cookie) {
> + addCookieInternal(cookie, false);
> + }
> +
> + /**
> + * Add the specified Cookie to those that will be included with
> + * this Response.
> + *
> + * @param cookie Cookie to be added
> + * @param httpOnly Should the httpOnly falg be set on this cookie
> + */
> + public void addCookieInternal(final Cookie cookie, final boolean httpOnly) {
>
> if (isCommitted())
> return;
> @@ -968,7 +979,8 @@
> (sb, cookie.getVersion(), cookie.getName(),
> cookie.getValue(), cookie.getPath(),
> cookie.getDomain(), cookie.getComment(),
> - cookie.getMaxAge(), cookie.getSecure());
> + cookie.getMaxAge(), cookie.getSecure(),
> + httpOnly);
> return null;
> }
> });
> @@ -976,7 +988,7 @@
> ServerCookie.appendCookieValue
> (sb, cookie.getVersion(), cookie.getName(), cookie.getValue(),
> cookie.getPath(), cookie.getDomain(), cookie.getComment(),
> - cookie.getMaxAge(), cookie.getSecure());
> + cookie.getMaxAge(), cookie.getSecure(), httpOnly);
> }
> //if we reached here, no exception, cookie is valid
> // the header name is Set-Cookie for both "old" and v.1 ( RFC2109 )
>
> Modified: tomcat/trunk/java/org/apache/catalina/session/ManagerBase.java
> URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/session/ManagerBase.java?rev=694992&r1=694991&r2=694992&view=diff
> ==============================================================================
> --- tomcat/trunk/java/org/apache/catalina/session/ManagerBase.java (original)
> +++ tomcat/trunk/java/org/apache/catalina/session/ManagerBase.java Sat Sep 13 10:39:47 2008
> @@ -217,7 +217,11 @@
> */
> protected PropertyChangeSupport support = new PropertyChangeSupport(this);
>
> -
> + /**
> + * The flag that indicates that session cookies should use HttpOnly
> + */
> + protected boolean useHttpOnly = true;
> +
> // ------------------------------------------------------------- Security classes
>
>
> @@ -655,6 +659,27 @@
>
> }
>
> + /**
> + * Gets the value of the use HttpOnly cookies for session cookies flag.
> + *
> + * @return <code>true</code> if the HttpOnly flag should be set on session
> + * cookies
> + */
> + public boolean getUseHttpOnly() {
> + return useHttpOnly;
> + }
> +
> +
> + /**
> + * Sets the use HttpOnly cookies for session cookies flag.
> + *
> + * @param useHttpOnly Set to <code>true</code> to use HttpOnly cookies
> + * for session cookies
> + */
> + public void setUseHttpOnly(boolean useHttpOnly) {
> + this.useHttpOnly = useHttpOnly;
> + }
> +
> // --------------------------------------------------------- Public Methods
>
>
>
> Modified: tomcat/trunk/java/org/apache/tomcat/util/http/ServerCookie.java
> URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/http/ServerCookie.java?rev=694992&r1=694991&r2=694992&view=diff
> ==============================================================================
> --- tomcat/trunk/java/org/apache/tomcat/util/http/ServerCookie.java (original)
> +++ tomcat/trunk/java/org/apache/tomcat/util/http/ServerCookie.java Sat Sep 13 10:39:47 2008
> @@ -257,7 +257,8 @@
> String domain,
> String comment,
> int maxAge,
> - boolean isSecure )
> + boolean isSecure,
> + boolean isHttpOnly)
> {
> StringBuffer buf = new StringBuffer();
> // Servlet implementation checks name
> @@ -321,6 +322,10 @@
> buf.append ("; Secure");
> }
>
> + // HttpOnly
> + if (isHttpOnly) {
> + buf.append("; HttpOnly");
> + }
> headerBuf.append(buf);
> }
>
>
> Modified: tomcat/trunk/webapps/docs/config/manager.xml
> URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/manager.xml?rev=694992&r1=694991&r2=694992&view=diff
> ==============================================================================
> --- tomcat/trunk/webapps/docs/config/manager.xml (original)
> +++ tomcat/trunk/webapps/docs/config/manager.xml Sat Sep 13 10:39:47 2008
> @@ -157,6 +157,12 @@
> The default is 16.</p>
> </attribute>
>
> + <attribute name="useHttpOnly" required="false">
> + <p>Should the HttpOnly flag be set on session cookies to prevent client
> + side script from accessing the session ID? Defaults to
> + <code>true</code>.</p>
> + </attribute>
> +
> </attributes>
>
> <h3>Persistent Manager Implementation</h3>
> @@ -264,6 +270,12 @@
> The default is 16.</p>
> </attribute>
>
> + <attribute name="useHttpOnly" required="false">
> + <p>Should the HttpOnly flag be set on session cookies to prevent client
> + side script from accessing the session ID? Defaults to
> + <code>true</code>.</p>
> + </attribute>
> +
> </attributes>
>
> <p>In order to successfully use a PersistentManager, you must nest inside
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org