Mantis - Resin
Viewing Issue Advanced Details
4217 minor always 09-16-10 21:02 11-15-10 10:01
gzhu  
ferg  
normal  
closed 4.0.10  
fixed  
none    
none 4.0.14  
0004217: request for implementation changes on <cookie-http-only>
With current implementation, if cookie-http-only is set, AbstractHttpResponse will set all cookies in that webapp to be HttpOnly. While in the real world, the desired behaviour should be setting HttpOnly flag for session id cookie only, the cookie generated by Resin, while retaining application generated cookies HttpOnly flags.

A couple of more points:

1. httpOnly cookies will also go with https, the purpose of HttpOnly is to avoid XSS attack, and setting JSESSIONID cookie is good enough: http://www.owasp.org/index.php/HttpOnly. [^]

2. Tomcat implementation of HttpOnly: http://svn.apache.org/viewvc?revision=694992&view=revision [^]

So if you have this JSP, the HttpOnly flag set by application should be honored, while only session cookie should be set based on webapp config.


/**
 * create a new sesion
 */
HttpSession s = request.getSession();

/**
 * set up custom cookies
 */
Cookie myhttpcookie = new Cookie("MyHttpCookie", "NotVisibleToJavaScript");
myhttpcookie.setPath("/");
myhttpcookie.setHttpOnly(true);
response.addCookie(myhttpcookie);

Cookie myjscookie = new Cookie("MyJsCookie", "VisibleToJavaScript");
myjscookie.setPath("/");
myjscookie.setHttpOnly(false);
response.addCookie(myjscookie);

To fix it:

1. src/com/caucho/server/session/CookieImpl.java
  -- add a couple of methods

diff -u CookieImpl.java.orig CookieImpl.java
--- CookieImpl.java.orig 2010-08-24 10:42:44.000000000 -0700
+++ CookieImpl.java 2010-09-16 19:03:29.000000000 -0700
@@ -36,6 +36,7 @@
 public class CookieImpl extends Cookie {
   // the allowed cookie port
   private String _port;
+ private boolean _httpOnly;
 
   /**
    * Create a new cookie object.
@@ -43,6 +44,7 @@
   public CookieImpl(String name, String value)
   {
     super(name, value);
+ _httpOnly = false;
   }
 
   /**
@@ -60,4 +62,20 @@
   {
     _port = port;
   }
+
+ /**
+ * Checks whether this Cookie has been marked as HttpOnly.
+ */
+ public boolean isHttpOnly() {
+ return _httpOnly;
+ }
+
+ /**
+ * set HttpOnly flag
+ * @param isHttpOnly
+ */
+ public void setHttpOnly(boolean isHttpOnly)
+ {
+ _httpOnly = isHttpOnly;
+ }
 }

2. src/com/caucho/server/http/AbstractHttpResponse.java
  -- append "; HttpOnly" only if the cookie says so

diff -u AbstractHttpResponse.java.orig AbstractHttpResponse.java
--- AbstractHttpResponse.java.orig 2010-08-24 10:47:36.000000000 -0700
+++ AbstractHttpResponse.java 2010-09-16 19:04:48.000000000 -0700
@@ -888,9 +889,12 @@
       cb.append(_calendar.format("%a, %d-%b-%Y %H:%M:%S GMT"));
     }
 
- WebApp app = _request.getWebApp();
- if (app.getCookieHttpOnly() || app.getSessionManager().isCookieHttpOnly()) {
- cb.append("; HttpOnly");
+ /**
+ * This only works with J2EE 6.
+ */
+ if (cookie.isHttpOnly())
+ {
+ cb.append("; HttpOnly");
     }
 
     return true;

3. src/com/caucho/server/http/HttpServletResponseImpl.java
  -- set session cookie httponly if the webapp says so

diff -u HttpServletResponseImpl.java.orig HttpServletResponseImpl.java
--- HttpServletResponseImpl.java.orig 2010-08-24 10:42:40.000000000 -0700
+++ HttpServletResponseImpl.java 2010-09-16 18:11:29.000000000 -0700
@@ -1241,6 +1241,14 @@
       cookie.setSecure(true);
    }
 
+ /**
+ * set session ID cookie httpOnly flag
+ * based on <cookie-http-only> value with the webapp
+ */
+ if (manager.isHttpOnly())
+ {
+ cookie.setHttpOnly(true);
+ }
     return cookie;
   }
 


Notes
(0004754)
gzhu   
09-16-10 21:15   
Please update this doc: http://www.caucho.com/resin/admin/deploy-ref.xtp#cookie-http-only; [^] browsers will forward httponly cookies to https sites.
(0004843)
ferg   
11-15-10 10:01   
server/01e2