[jira] Commented: (SHIRO-139) Cookie support refactoring - Simplify cookie configuration, support HttpOnly cookies and default session cookies to be HttpOnly = true

Fri, 14 May 2010 02:28:09 -0700 

    [ 
https://issues.apache.org/jira/browse/SHIRO-139?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12867453#action_12867453
 ] 

Les Hazlewood commented on SHIRO-139:
-------------------------------------

Just a quick note - per this mailing list thread:

http://mail-archives.apache.org/mod_mbox/incubator-shiro-user/201005.mbox/%[email protected]%3e

It was discovered that the outgoing deleting 'rememberMe' cookie value was 
overwriting the incoming 'rememberMe' cookie value.  The 
SimpleCookie.removeFrom method was refactored to not use an incoming 
javax.servlet.http.Cookie, change it's value and maxAge for deletion, and then 
use that same Cookie instance in the response.addCookies call to delete the 
cookie.  Now the 'removeFrom' implementation sets the 'Set-Cookie' header just 
like the 'saveTo' implementation to avoid any possibility of sharing 
javax.servlet.http.Cookie objects. 

The SimpleCookieTest and CookieRememberMeManagerTest classes were updated to 
reflect this refactoring.

> Cookie support refactoring - Simplify cookie configuration, support HttpOnly 
> cookies and default session cookies to be HttpOnly = true
> --------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: SHIRO-139
>                 URL: https://issues.apache.org/jira/browse/SHIRO-139
>             Project: Shiro
>          Issue Type: Improvement
>          Components: Web
>    Affects Versions: 1.0.0
>            Reporter: Les Hazlewood
>             Fix For: 1.0.0
>
>   Original Estimate: 3h
>  Remaining Estimate: 3h
>
> It would also be prudent to refactor the cookie support in Shiro to 
> 1) remove the overly verbose and complex RequestAttribute / 
> CookieRequestAttribute concepts.  This existed as a way to shield Shiro from 
> implementation details on how to persist and retrieve data across requests.  
> It'd be better to allow end-users to just configure a Cookie pojo instance 
> that is set on cookie-capable components which in turn use a mechanism to 
> set/remove the cookie
> 2) support the notion of HttpOnly cookies, which the servlet 2.4/2.5 does not 
> support, but we could support with our own Cookie pojo used in configuration 
> (see #1) which we set on the response header directly ( response.setHeader 
> instead of response.addCookie)
> 3) After adding #2, default Shiro's session cookie to be HttpOnly = true for 
> added security to reduce XSS attacks.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to