Author: markt Date: Sun Mar 1 12:47:54 2009 New Revision: 749019 URL: http://svn.apache.org/viewvc?rev=749019&view=rev Log: Provide an option to use httpOnly for session cookies. Disabled by default.
Modified: tomcat/tc6.0.x/trunk/ (props changed) tomcat/tc6.0.x/trunk/STATUS.txt tomcat/tc6.0.x/trunk/java/org/apache/catalina/Manager.java tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Response.java tomcat/tc6.0.x/trunk/java/org/apache/catalina/session/ManagerBase.java tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/ServerCookie.java tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml tomcat/tc6.0.x/trunk/webapps/docs/config/manager.xml Propchange: tomcat/tc6.0.x/trunk/ ------------------------------------------------------------------------------ --- svn:mergeinfo (original) +++ svn:mergeinfo Sun Mar 1 12:47:54 2009 @@ -1 +1 @@ -/tomcat/trunk:601180,606992,612607,630314,652744,653247,673796,673820,683982,684001,684081,684234,684269-684270,685177,687503,687645,689402,690781,691392,691805,692748,695053,695311,696780,696782,698012,698227,698236,698613,699427,699634,701355,709294,709811,709816,710063,710066,710125,710205,711126,711600,712461,712467,718360,719602,719626,719628,720046,720069,721040,723404,723738,726052,727303,728032,728768,728947,729057,729567,729569,729571,729809,729815,729934,730250,730590,731651,732859,732863,734734,740675,740684,747834,748344 +/tomcat/trunk:601180,606992,612607,630314,652744,653247,673796,673820,683982,684001,684081,684234,684269-684270,685177,687503,687645,689402,690781,691392,691805,692748,694992,695053,695311,696780,696782,698012,698227,698236,698613,699427,699634,701355,709294,709811,709816,710063,710066,710125,710205,711126,711600,712461,712467,718360,719602,719626,719628,720046,720069,721040,723404,723738,726052,727303,728032,728768,728947,729057,729567,729569,729571,729809,729815,729934,730250,730590,731651,732859,732863,734734,740675,740684,747834,748344 Modified: tomcat/tc6.0.x/trunk/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=749019&r1=749018&r2=749019&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/STATUS.txt (original) +++ tomcat/tc6.0.x/trunk/STATUS.txt Sun Mar 1 12:47:54 2009 @@ -43,19 +43,6 @@ +1: pero, fhanik, markt, jim -1: -* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=44382 - Use HttpOnly for session cookies. This is enabled by default. Feel free to - caveat your vote with a preference for disabled by default. - http://svn.apache.org/viewvc?rev=694992&view=rev - +1: mark (prefer enabled, happy with disabled), rjung - +1: fhanik - if default value is to not set it for backwards compatibility - 0: remm (not so elegant, not sure about default value) - markt It can be improved once the API is fixed in the 3.0 spec - funkman: leave as gap until 3.0 spec - -1: - rjung: slightly prefer enabled for 6.0.x because of increased security by default, - but disabled for tc5.5.x because of the small risk of breaking existing apps. - * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=45026 Never use empty reason phrase. http://svn.apache.org/viewvc?rev=697183&view=rev Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/Manager.java URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/Manager.java?rev=749019&r1=749018&r2=749019&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/java/org/apache/catalina/Manager.java (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/Manager.java Sun Mar 1 12:47:54 2009 @@ -240,6 +240,24 @@ public void setSessionAverageAliveTime(int sessionAverageAliveTime); + /** + * Gets the value of the use HttpOnly cookies for session cookies flag. + * + * @return <code>true</code> if the HttpOnly flag should be set on session + * cookies + */ + public boolean getUseHttpOnly(); + + + /** + * Sets the use HttpOnly cookies for session cookies flag. + * + * @param useHttpOnly Set to <code>true</code> to use HttpOnly cookies + * for session cookies + */ + public void setUseHttpOnly(boolean useHttpOnly); + + // --------------------------------------------------------- Public Methods Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java?rev=749019&r1=749018&r2=749019&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java Sun Mar 1 12:47:54 2009 @@ -2330,7 +2330,7 @@ Cookie cookie = new Cookie(Globals.SESSION_COOKIE_NAME, session.getIdInternal()); configureSessionCookie(cookie); - response.addCookieInternal(cookie); + response.addCookieInternal(cookie, manager.getUseHttpOnly()); } if (session != null) { Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Response.java URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Response.java?rev=749019&r1=749018&r2=749019&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Response.java (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Response.java Sun Mar 1 12:47:54 2009 @@ -976,6 +976,17 @@ * @param cookie Cookie to be added */ public void addCookieInternal(final Cookie cookie) { + addCookieInternal(cookie, false); + } + + /** + * Add the specified Cookie to those that will be included with + * this Response. + * + * @param cookie Cookie to be added + * @param httpOnly Should the httpOnly falg be set on this cookie + */ + public void addCookieInternal(final Cookie cookie, final boolean httpOnly) { if (isCommitted()) return; @@ -990,7 +1001,8 @@ (sb, cookie.getVersion(), cookie.getName(), cookie.getValue(), cookie.getPath(), cookie.getDomain(), cookie.getComment(), - cookie.getMaxAge(), cookie.getSecure()); + cookie.getMaxAge(), cookie.getSecure(), + httpOnly); return null; } }); @@ -998,7 +1010,7 @@ ServerCookie.appendCookieValue (sb, cookie.getVersion(), cookie.getName(), cookie.getValue(), cookie.getPath(), cookie.getDomain(), cookie.getComment(), - cookie.getMaxAge(), cookie.getSecure()); + cookie.getMaxAge(), cookie.getSecure(), httpOnly); } //if we reached here, no exception, cookie is valid // the header name is Set-Cookie for both "old" and v.1 ( RFC2109 ) Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/session/ManagerBase.java URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/session/ManagerBase.java?rev=749019&r1=749018&r2=749019&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/java/org/apache/catalina/session/ManagerBase.java (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/session/ManagerBase.java Sun Mar 1 12:47:54 2009 @@ -217,7 +217,11 @@ */ protected PropertyChangeSupport support = new PropertyChangeSupport(this); - + /** + * The flag that indicates that session cookies should use HttpOnly + */ + protected boolean useHttpOnly = false; + // ------------------------------------------------------------- Security classes @@ -655,6 +659,27 @@ } + /** + * Gets the value of the use HttpOnly cookies for session cookies flag. + * + * @return <code>true</code> if the HttpOnly flag should be set on session + * cookies + */ + public boolean getUseHttpOnly() { + return useHttpOnly; + } + + + /** + * Sets the use HttpOnly cookies for session cookies flag. + * + * @param useHttpOnly Set to <code>true</code> to use HttpOnly cookies + * for session cookies + */ + public void setUseHttpOnly(boolean useHttpOnly) { + this.useHttpOnly = useHttpOnly; + } + // --------------------------------------------------------- Public Methods Modified: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/ServerCookie.java URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/ServerCookie.java?rev=749019&r1=749018&r2=749019&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/ServerCookie.java (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/ServerCookie.java Sun Mar 1 12:47:54 2009 @@ -275,7 +275,8 @@ String domain, String comment, int maxAge, - boolean isSecure ) + boolean isSecure, + boolean isHttpOnly) { StringBuffer buf = new StringBuffer(); // Servlet implementation checks name @@ -343,6 +344,10 @@ buf.append ("; Secure"); } + // HttpOnly + if (isHttpOnly) { + buf.append("; HttpOnly"); + } headerBuf.append(buf); } Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=749019&r1=749018&r2=749019&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original) +++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Sun Mar 1 12:47:54 2009 @@ -272,6 +272,10 @@ <bug>46606</bug>: Make the max DEPTH for a WebDAV request configurable. The default is still 3. (markt) </fix> + <add> + <bug>44382</bug>: Add support for using httpOnly for session cookies. + This is disabled by default. (markt) + </add> </changelog> </subsection> <subsection name="Coyote"> Modified: tomcat/tc6.0.x/trunk/webapps/docs/config/manager.xml URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/config/manager.xml?rev=749019&r1=749018&r2=749019&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/webapps/docs/config/manager.xml (original) +++ tomcat/tc6.0.x/trunk/webapps/docs/config/manager.xml Sun Mar 1 12:47:54 2009 @@ -157,6 +157,12 @@ The default is 16.</p> </attribute> + <attribute name="useHttpOnly" required="false"> + <p>Should the HttpOnly flag be set on session cookies to prevent client + side script from accessing the session ID? Defaults to + <code>false</code>.</p> + </attribute> + </attributes> <h3>Persistent Manager Implementation</h3> @@ -264,6 +270,12 @@ The default is 16.</p> </attribute> + <attribute name="useHttpOnly" required="false"> + <p>Should the HttpOnly flag be set on session cookies to prevent client + side script from accessing the session ID? Defaults to + <code>true</code>.</p> + </attribute> + </attributes> <p>In order to successfully use a PersistentManager, you must nest inside --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org