From 4cdc177964a37a53e9a30925e2a3e8f9520a0387 Mon Sep 17 00:00:00 2001
From: hns <hannesw@gmail.com>
Date: Thu, 16 Oct 2008 12:15:42 +0000
Subject: [PATCH] Add support for secure and HttpOnly session cookies, with
 HttpOnly being enabled by default. The features are controlled through the
 httpOnlySessionCookie and secureSessionCookie app properties. We now compose
 and set the session cookie ourselves as this is the only reliable way to do
 it in a cross-servlet-container compatible way and without adding
 dependencies to the servlet container.

---
 src/helma/servlet/AbstractServletClient.java | 31 +++++++++++++-------
 1 file changed, 20 insertions(+), 11 deletions(-)

diff --git a/src/helma/servlet/AbstractServletClient.java b/src/helma/servlet/AbstractServletClient.java
index d2a78c13..8624278f 100644
--- a/src/helma/servlet/AbstractServletClient.java
+++ b/src/helma/servlet/AbstractServletClient.java
@@ -545,24 +545,25 @@ public abstract class AbstractServletClient extends HttpServlet {
             addIPAddress(buffer, request.getHeader("X-Forwarded-For"));
             addIPAddress(buffer, request.getHeader("Client-ip"));
             if (reqtrans.getSession() == null || !reqtrans.getSession().startsWith(buffer.toString())) {
-                response.addCookie(createSession(buffer.toString(), reqtrans, domain));
+                createSession(response, buffer.toString(), reqtrans, domain);
             }
         } else if (reqtrans.getSession() == null) {
-            response.addCookie(createSession("", reqtrans, domain));
+            createSession(response, "", reqtrans, domain);
         }
     }
 
     /**
      * Create a new session cookie.
      *
+     * @param response the servlet response
      * @param prefix the session id prefix
      * @param reqtrans the request object
      * @param domain the cookie domain
-     * @return the session cookie
      */
-    private Cookie createSession(String prefix,
-                                 RequestTrans reqtrans,
-                                 String domain) {
+    private void createSession(HttpServletResponse response,
+                               String prefix,
+                               RequestTrans reqtrans,
+                               String domain) {
         Application app = getApplication();
         String id = null;
         while (id == null || app.getSession(id) != null) {
@@ -575,12 +576,20 @@ public abstract class AbstractServletClient extends HttpServlet {
         }
 
         reqtrans.setSession(id);
-        Cookie cookie = new Cookie(sessionCookieName, id);
-        cookie.setPath("/");
-        if (domain != null)
-            cookie.setDomain(domain);
 
-        return cookie;
+        StringBuffer buffer = new StringBuffer(sessionCookieName);
+        buffer.append("=").append(id).append("; Path=/");
+        if (domain != null) {
+            // lowercase domain for IE
+            buffer.append("; Domain=").append(domain.toLowerCase());
+        }
+        if (!"false".equalsIgnoreCase(app.getProperty("httpOnlySessionCookie"))) {
+            buffer.append("; HttpOnly");
+        }
+        if ("true".equalsIgnoreCase(app.getProperty("secureSessionCookie"))) {
+            buffer.append("; Secure");
+        }
+        response.addHeader("Set-Cookie", buffer.toString());
     }
 
     /**