0004217: request for implementation changes on <cookie-http-only>

Viewing Issue Advanced Details [ Jump to Notes ]

[ View Simple ] [ Issue History ] [ Print ]

Category

Severity

Reproducibility

Date Submitted

Last Update

0004217

[Resin]

minor

always

09-16-10 21:02

11-15-10 10:01

Reporter

gzhu

View Status

public

Assigned To

ferg

Priority

normal

Resolution

fixed

Platform

Status

closed

Projection

none

OS Version

ETA

none

Fixed in Version

4.0.14

Product Version

4.0.10

Product Build

Summary

0004217: request for implementation changes on <cookie-http-only>

Description

With current implementation, if cookie-http-only is set, AbstractHttpResponse will set all cookies in that webapp to be HttpOnly. While in the real world, the desired behaviour should be setting HttpOnly flag for session id cookie only, the cookie generated by Resin, while retaining application generated cookies HttpOnly flags.

A couple of more points:

1. httpOnly cookies will also go with https, the purpose of HttpOnly is to avoid XSS attack, and setting JSESSIONID cookie is good enough: http://www.owasp.org/index.php/HttpOnly. [^]

2. Tomcat implementation of HttpOnly: http://svn.apache.org/viewvc?revision=694992&view=revision [^]

Steps To Reproduce

So if you have this JSP, the HttpOnly flag set by application should be honored, while only session cookie should be set based on webapp config.

/**
* create a new sesion
*/
HttpSession s = request.getSession();

/**
* set up custom cookies
*/
Cookie myhttpcookie = new Cookie("MyHttpCookie", "NotVisibleToJavaScript");
myhttpcookie.setPath("/");
myhttpcookie.setHttpOnly(true);
response.addCookie(myhttpcookie);

Cookie myjscookie = new Cookie("MyJsCookie", "VisibleToJavaScript");
myjscookie.setPath("/");
myjscookie.setHttpOnly(false);
response.addCookie(myjscookie);

Additional Information

To fix it:

1. src/com/caucho/server/session/CookieImpl.java
  -- add a couple of methods

diff -u CookieImpl.java.orig CookieImpl.java
--- CookieImpl.java.orig 2010-08-24 10:42:44.000000000 -0700
+++ CookieImpl.java 2010-09-16 19:03:29.000000000 -0700
@@ -36,6 +36,7 @@
public class CookieImpl extends Cookie {
   // the allowed cookie port
   private String _port;
+ private boolean _httpOnly;

   /**
    * Create a new cookie object.
@@ -43,6 +44,7 @@
   public CookieImpl(String name, String value)
   {
     super(name, value);
+ _httpOnly = false;
   }

   /**
@@ -60,4 +62,20 @@
   {
     _port = port;
   }
+
+ /**
+ * Checks whether this Cookie has been marked as HttpOnly.
+ */
+ public boolean isHttpOnly() {
+ return _httpOnly;
+ }
+
+ /**
+ * set HttpOnly flag
+ * @param isHttpOnly
+ */
+ public void setHttpOnly(boolean isHttpOnly)
+ {
+ _httpOnly = isHttpOnly;
+ }
}

2. src/com/caucho/server/http/AbstractHttpResponse.java
  -- append "; HttpOnly" only if the cookie says so

diff -u AbstractHttpResponse.java.orig AbstractHttpResponse.java
--- AbstractHttpResponse.java.orig 2010-08-24 10:47:36.000000000 -0700
+++ AbstractHttpResponse.java 2010-09-16 19:04:48.000000000 -0700
@@ -888,9 +889,12 @@
       cb.append(_calendar.format("%a, %d-%b-%Y %H:%M:%S GMT"));
     }

- WebApp app = _request.getWebApp();
- if (app.getCookieHttpOnly() || app.getSessionManager().isCookieHttpOnly()) {
- cb.append("; HttpOnly");
+ /**
+ * This only works with J2EE 6.
+ */
+ if (cookie.isHttpOnly())
+ {
+ cb.append("; HttpOnly");
     }

     return true;

3. src/com/caucho/server/http/HttpServletResponseImpl.java
  -- set session cookie httponly if the webapp says so

diff -u HttpServletResponseImpl.java.orig HttpServletResponseImpl.java
--- HttpServletResponseImpl.java.orig 2010-08-24 10:42:40.000000000 -0700
+++ HttpServletResponseImpl.java 2010-09-16 18:11:29.000000000 -0700
@@ -1241,6 +1241,14 @@
       cookie.setSecure(true);
    }

+ /**
+ * set session ID cookie httpOnly flag
+ * based on <cookie-http-only> value with the webapp
+ */
+ if (manager.isHttpOnly())
+ {
+ cookie.setHttpOnly(true);
+ }
     return cookie;
   }

Attached Files

Relationships

Notes
(0004754) gzhu 09-16-10 21:15	Please update this doc: http://www.caucho.com/resin/admin/deploy-ref.xtp#cookie-http-only; [^] browsers will forward httponly cookies to https sites.

(0004843) ferg 11-15-10 10:01	server/01e2

Issue History
Date Modified	Username	Field	Change
09-16-10 21:02	gzhu	New Issue
09-16-10 21:15	gzhu	Note Added: 0004754
11-15-10 10:01	ferg	Note Added: 0004843
11-15-10 10:01	ferg	Assigned To	=> ferg
11-15-10 10:01	ferg	Status	new => closed
11-15-10 10:01	ferg	Resolution	open => fixed
11-15-10 10:01	ferg	Fixed in Version	=> 4.0.14

Mantis 1.0.0rc3[^]

31 total queries executed.
27 unique queries executed.