Mantis Bugtracker
  

Viewing Issue Advanced Details Jump to Notes ] View Simple ] Issue History ] Print ]
ID Category Severity Reproducibility Date Submitted Last Update
0004217 [Resin] minor always 09-16-10 21:02 11-15-10 10:01
Reporter gzhu View Status public  
Assigned To ferg
Priority normal Resolution fixed Platform
Status closed   OS
Projection none   OS Version
ETA none Fixed in Version 4.0.14 Product Version 4.0.10
  Product Build
Summary 0004217: request for implementation changes on <cookie-http-only>
Description With current implementation, if cookie-http-only is set, AbstractHttpResponse will set all cookies in that webapp to be HttpOnly. While in the real world, the desired behaviour should be setting HttpOnly flag for session id cookie only, the cookie generated by Resin, while retaining application generated cookies HttpOnly flags.

A couple of more points:

1. httpOnly cookies will also go with https, the purpose of HttpOnly is to avoid XSS attack, and setting JSESSIONID cookie is good enough: http://www.owasp.org/index.php/HttpOnly. [^]

2. Tomcat implementation of HttpOnly: http://svn.apache.org/viewvc?revision=694992&view=revision [^]

Steps To Reproduce So if you have this JSP, the HttpOnly flag set by application should be honored, while only session cookie should be set based on webapp config.


/**
 * create a new sesion
 */
HttpSession s = request.getSession();

/**
 * set up custom cookies
 */
Cookie myhttpcookie = new Cookie("MyHttpCookie", "NotVisibleToJavaScript");
myhttpcookie.setPath("/");
myhttpcookie.setHttpOnly(true);
response.addCookie(myhttpcookie);

Cookie myjscookie = new Cookie("MyJsCookie", "VisibleToJavaScript");
myjscookie.setPath("/");
myjscookie.setHttpOnly(false);
response.addCookie(myjscookie);

Additional Information To fix it:

1. src/com/caucho/server/session/CookieImpl.java
  -- add a couple of methods

diff -u CookieImpl.java.orig CookieImpl.java
--- CookieImpl.java.orig 2010-08-24 10:42:44.000000000 -0700
+++ CookieImpl.java 2010-09-16 19:03:29.000000000 -0700
@@ -36,6 +36,7 @@
 public class CookieImpl extends Cookie {
   // the allowed cookie port
   private String _port;
+ private boolean _httpOnly;
 
   /**
    * Create a new cookie object.
@@ -43,6 +44,7 @@
   public CookieImpl(String name, String value)
   {
     super(name, value);
+ _httpOnly = false;
   }
 
   /**
@@ -60,4 +62,20 @@
   {
     _port = port;
   }
+
+ /**
+ * Checks whether this Cookie has been marked as HttpOnly.
+ */
+ public boolean isHttpOnly() {
+ return _httpOnly;
+ }
+
+ /**
+ * set HttpOnly flag
+ * @param isHttpOnly
+ */
+ public void setHttpOnly(boolean isHttpOnly)
+ {
+ _httpOnly = isHttpOnly;
+ }
 }

2. src/com/caucho/server/http/AbstractHttpResponse.java
  -- append "; HttpOnly" only if the cookie says so

diff -u AbstractHttpResponse.java.orig AbstractHttpResponse.java
--- AbstractHttpResponse.java.orig 2010-08-24 10:47:36.000000000 -0700
+++ AbstractHttpResponse.java 2010-09-16 19:04:48.000000000 -0700
@@ -888,9 +889,12 @@
       cb.append(_calendar.format("%a, %d-%b-%Y %H:%M:%S GMT"));
     }
 
- WebApp app = _request.getWebApp();
- if (app.getCookieHttpOnly() || app.getSessionManager().isCookieHttpOnly()) {
- cb.append("; HttpOnly");
+ /**
+ * This only works with J2EE 6.
+ */
+ if (cookie.isHttpOnly())
+ {
+ cb.append("; HttpOnly");
     }
 
     return true;

3. src/com/caucho/server/http/HttpServletResponseImpl.java
  -- set session cookie httponly if the webapp says so

diff -u HttpServletResponseImpl.java.orig HttpServletResponseImpl.java
--- HttpServletResponseImpl.java.orig 2010-08-24 10:42:40.000000000 -0700
+++ HttpServletResponseImpl.java 2010-09-16 18:11:29.000000000 -0700
@@ -1241,6 +1241,14 @@
       cookie.setSecure(true);
    }
 
+ /**
+ * set session ID cookie httpOnly flag
+ * based on <cookie-http-only> value with the webapp
+ */
+ if (manager.isHttpOnly())
+ {
+ cookie.setHttpOnly(true);
+ }
     return cookie;
   }
 

Attached Files

- Relationships

- Notes
(0004754)
gzhu
09-16-10 21:15

Please update this doc: http://www.caucho.com/resin/admin/deploy-ref.xtp#cookie-http-only; [^] browsers will forward httponly cookies to https sites.
 
(0004843)
ferg
11-15-10 10:01

server/01e2
 

- Issue History
Date Modified Username Field Change
09-16-10 21:02 gzhu New Issue
09-16-10 21:15 gzhu Note Added: 0004754
11-15-10 10:01 ferg Note Added: 0004843
11-15-10 10:01 ferg Assigned To  => ferg
11-15-10 10:01 ferg Status new => closed
11-15-10 10:01 ferg Resolution open => fixed
11-15-10 10:01 ferg Fixed in Version  => 4.0.14


Mantis 1.0.0rc3[^]
Copyright © 2000 - 2005 Mantis Group
31 total queries executed.
27 unique queries executed.
Powered by Mantis Bugtracker