Author: kkolinko Date: Tue Jan 18 20:26:56 2011 New Revision: 1060560 URL: http://svn.apache.org/viewvc?rev=1060560&view=rev Log: Configure manager, host-manager and admin webapps to use HttpOnly for session cookies
Modified: tomcat/tc5.5.x/trunk/STATUS.txt tomcat/tc5.5.x/trunk/container/webapps/admin/admin.xml tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml tomcat/tc5.5.x/trunk/container/webapps/host-manager/host-manager.xml tomcat/tc5.5.x/trunk/container/webapps/host-manager/manager.xml tomcat/tc5.5.x/trunk/container/webapps/manager/manager.xml Modified: tomcat/tc5.5.x/trunk/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/STATUS.txt?rev=1060560&r1=1060559&r2=1060560&view=diff ============================================================================== --- tomcat/tc5.5.x/trunk/STATUS.txt (original) +++ tomcat/tc5.5.x/trunk/STATUS.txt Tue Jan 18 20:26:56 2011 @@ -71,11 +71,6 @@ PATCHES PROPOSED TO BACKPORT: patched tomcat.nsi of tc5.5 on top of it: ( http://people.apache.org/~kkolinko/patches/2011-01-17_tc55_tomcat-nsi-of-tc7_vs_tc55.diff ) -* Configure manager, host-manager and admin webapps to use HttpOnly for session cookies - http://people.apache.org/~kkolinko/patches/2010-11-22_tc55_httpOnly.patch - +1: kkolinko, rjung, markt - -1: - * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=50460 Avoid leak caused by using a cached exception instance http://svn.apache.org/viewvc?rev=1044987&view=rev Modified: tomcat/tc5.5.x/trunk/container/webapps/admin/admin.xml URL: http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/webapps/admin/admin.xml?rev=1060560&r1=1060559&r2=1060560&view=diff ============================================================================== --- tomcat/tc5.5.x/trunk/container/webapps/admin/admin.xml (original) +++ tomcat/tc5.5.x/trunk/container/webapps/admin/admin.xml Tue Jan 18 20:26:56 2011 @@ -25,7 +25,7 @@ <Context docBase="${catalina.home}/server/webapps/admin" privileged="true" - antiResourceLocking="false" antiJARLocking="false"> + antiResourceLocking="false" antiJARLocking="false" useHttpOnly="true"> <!-- Uncomment this Valve to limit access to the Admin app to localhost for obvious security reasons. Allow is a comma-separated list of Modified: tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml?rev=1060560&r1=1060559&r2=1060560&view=diff ============================================================================== --- tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml (original) +++ tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml Tue Jan 18 20:26:56 2011 @@ -113,6 +113,10 @@ <fix> Improve filtering of Manager display output. (kkolinko) </fix> + <update> + Configure the Admin, Manager and Host-Manager web applications to use + HttpOnly flag for their session cookies. (kkolinko) + </update> </changelog> </subsection> </section> Modified: tomcat/tc5.5.x/trunk/container/webapps/host-manager/host-manager.xml URL: http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/webapps/host-manager/host-manager.xml?rev=1060560&r1=1060559&r2=1060560&view=diff ============================================================================== --- tomcat/tc5.5.x/trunk/container/webapps/host-manager/host-manager.xml (original) +++ tomcat/tc5.5.x/trunk/container/webapps/host-manager/host-manager.xml Tue Jan 18 20:26:56 2011 @@ -25,6 +25,6 @@ <Context docBase="${catalina.home}/server/webapps/host-manager" - privileged="true" antiResourceLocking="false" antiJARLocking="false"> + privileged="true" antiResourceLocking="false" antiJARLocking="false" useHttpOnly="true"> </Context> Modified: tomcat/tc5.5.x/trunk/container/webapps/host-manager/manager.xml URL: http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/webapps/host-manager/manager.xml?rev=1060560&r1=1060559&r2=1060560&view=diff ============================================================================== --- tomcat/tc5.5.x/trunk/container/webapps/host-manager/manager.xml (original) +++ tomcat/tc5.5.x/trunk/container/webapps/host-manager/manager.xml Tue Jan 18 20:26:56 2011 @@ -25,6 +25,6 @@ <Context docBase="${catalina.home}/server/webapps/manager" - privileged="true" antiResourceLocking="false" antiJARLocking="false"> + privileged="true" antiResourceLocking="false" antiJARLocking="false" useHttpOnly="true"> </Context> Modified: tomcat/tc5.5.x/trunk/container/webapps/manager/manager.xml URL: http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/webapps/manager/manager.xml?rev=1060560&r1=1060559&r2=1060560&view=diff ============================================================================== --- tomcat/tc5.5.x/trunk/container/webapps/manager/manager.xml (original) +++ tomcat/tc5.5.x/trunk/container/webapps/manager/manager.xml Tue Jan 18 20:26:56 2011 @@ -25,7 +25,7 @@ <Context docBase="${catalina.home}/server/webapps/manager" - privileged="true" antiResourceLocking="false" antiJARLocking="false"> + privileged="true" antiResourceLocking="false" antiJARLocking="false" useHttpOnly="true"> <!-- Link to the user database we will get roles from --> <ResourceLink name="users" global="UserDatabase" --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org