svn commit: r989019 - in /tomcat/trunk: java/org/apache/catalina/authenticator/AuthenticatorBase.java webapps/docs/changelog.xml

Wed, 25 Aug 2010 04:38:01 -0700 

Author: markt
Date: Wed Aug 25 11:36:38 2010
New Revision: 989019

URL: http://svn.apache.org/viewvc?rev=989019&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=49749

Modified:
    tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
    tomcat/trunk/webapps/docs/changelog.xml

Modified: 
tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java?rev=989019&r1=989018&r2=989019&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java 
(original)
+++ tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java 
Wed Aug 25 11:36:38 2010
@@ -796,6 +796,12 @@ public abstract class AuthenticatorBase 
                 cookie.setDomain(ssoDomain);
             }
 
+            // Configure httpOnly on SSO cookie using same rules as session 
cookies
+            if 
(request.getServletContext().getSessionCookieConfig().isHttpOnly() ||
+                    request.getContext().getUseHttpOnly()) {
+                cookie.setHttpOnly(true);
+            }
+            
             response.addCookie(cookie);
 
             // Register this principal with our SSO valve

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=989019&r1=989018&r2=989019&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Wed Aug 25 11:36:38 2010
@@ -61,7 +61,11 @@
         processed. (markt)
       </fix>
       <fix>
-        <bug>47950</bug>: Align <code>WebappClassLoader.validate()</code>
+        <bug>49749</bug>: Single sign on cookies should have httpOnly flag set
+        using same rules as session cookies. (markt)
+      </fix>
+      <fix>
+        <bug>49750</bug>: Align <code>WebappClassLoader.validate()</code>
         implementation with Javadoc and ensure that 
<code>javax.servlet.*</code>
         classes can not be loaded by a <code>WebappClassLoader</code> instance.
         Patch provided by pid. (markt)



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to