Anonymous | Login | Signup for a new account | 12-17-2024 10:57 PST |
Main | My View | View Issues | Change Log | Docs |
Viewing Issue Simple Details [ Jump to Notes ] | [ View Advanced ] [ Issue History ] [ Print ] | ||||||||
ID | Category | Severity | Reproducibility | Date Submitted | Last Update | ||||
0004217 | [Resin] | minor | always | 09-16-10 21:02 | 11-15-10 10:01 | ||||
Reporter | gzhu | View Status | public | ||||||
Assigned To | ferg | ||||||||
Priority | normal | Resolution | fixed | ||||||
Status | closed | Product Version | 4.0.10 | ||||||
Summary | 0004217: request for implementation changes on <cookie-http-only> | ||||||||
Description |
With current implementation, if cookie-http-only is set, AbstractHttpResponse will set all cookies in that webapp to be HttpOnly. While in the real world, the desired behaviour should be setting HttpOnly flag for session id cookie only, the cookie generated by Resin, while retaining application generated cookies HttpOnly flags. A couple of more points: 1. httpOnly cookies will also go with https, the purpose of HttpOnly is to avoid XSS attack, and setting JSESSIONID cookie is good enough: http://www.owasp.org/index.php/HttpOnly. [^] 2. Tomcat implementation of HttpOnly: http://svn.apache.org/viewvc?revision=694992&view=revision [^] |
||||||||
Additional Information |
To fix it: 1. src/com/caucho/server/session/CookieImpl.java -- add a couple of methods diff -u CookieImpl.java.orig CookieImpl.java --- CookieImpl.java.orig 2010-08-24 10:42:44.000000000 -0700 +++ CookieImpl.java 2010-09-16 19:03:29.000000000 -0700 @@ -36,6 +36,7 @@ public class CookieImpl extends Cookie { // the allowed cookie port private String _port; + private boolean _httpOnly; /** * Create a new cookie object. @@ -43,6 +44,7 @@ public CookieImpl(String name, String value) { super(name, value); + _httpOnly = false; } /** @@ -60,4 +62,20 @@ { _port = port; } + + /** + * Checks whether this Cookie has been marked as HttpOnly. + */ + public boolean isHttpOnly() { + return _httpOnly; + } + + /** + * set HttpOnly flag + * @param isHttpOnly + */ + public void setHttpOnly(boolean isHttpOnly) + { + _httpOnly = isHttpOnly; + } } 2. src/com/caucho/server/http/AbstractHttpResponse.java -- append "; HttpOnly" only if the cookie says so diff -u AbstractHttpResponse.java.orig AbstractHttpResponse.java --- AbstractHttpResponse.java.orig 2010-08-24 10:47:36.000000000 -0700 +++ AbstractHttpResponse.java 2010-09-16 19:04:48.000000000 -0700 @@ -888,9 +889,12 @@ cb.append(_calendar.format("%a, %d-%b-%Y %H:%M:%S GMT")); } - WebApp app = _request.getWebApp(); - if (app.getCookieHttpOnly() || app.getSessionManager().isCookieHttpOnly()) { - cb.append("; HttpOnly"); + /** + * This only works with J2EE 6. + */ + if (cookie.isHttpOnly()) + { + cb.append("; HttpOnly"); } return true; 3. src/com/caucho/server/http/HttpServletResponseImpl.java -- set session cookie httponly if the webapp says so diff -u HttpServletResponseImpl.java.orig HttpServletResponseImpl.java --- HttpServletResponseImpl.java.orig 2010-08-24 10:42:40.000000000 -0700 +++ HttpServletResponseImpl.java 2010-09-16 18:11:29.000000000 -0700 @@ -1241,6 +1241,14 @@ cookie.setSecure(true); } + /** + * set session ID cookie httpOnly flag + * based on <cookie-http-only> value with the webapp + */ + if (manager.isHttpOnly()) + { + cookie.setHttpOnly(true); + } return cookie; } |
||||||||
Attached Files | |||||||||
|
Notes | |
(0004754) gzhu 09-16-10 21:15 |
Please update this doc: http://www.caucho.com/resin/admin/deploy-ref.xtp#cookie-http-only; [^] browsers will forward httponly cookies to https sites. |
(0004843) ferg 11-15-10 10:01 |
server/01e2 |
Mantis 1.0.0rc3[^]
Copyright © 2000 - 2005 Mantis Group
31 total queries executed. 27 unique queries executed. |