Add support for secure and HttpOnly session cookies, with HttpOnly being enabled by default. The features are controlled through the httpOnlySessionCookie and secureSessionCookie app properties. We now compose and set the session cookie ourselves as this is the only reliable way to do it in a cross-servlet-container compatible way and without adding dependencies to the servlet container.
This commit is contained in:
hns
parent
5217132767
commit
4cdc177964
1 changed files with 20 additions and 11 deletions
|
|
@ -545,24 +545,25 @@ public abstract class AbstractServletClient extends HttpServlet {
|
||||||
addIPAddress(buffer, request.getHeader("X-Forwarded-For"));
|
addIPAddress(buffer, request.getHeader("X-Forwarded-For"));
|
||||||
addIPAddress(buffer, request.getHeader("Client-ip"));
|
addIPAddress(buffer, request.getHeader("Client-ip"));
|
||||||
if (reqtrans.getSession() == null || !reqtrans.getSession().startsWith(buffer.toString())) {
|
if (reqtrans.getSession() == null || !reqtrans.getSession().startsWith(buffer.toString())) {
|
||||||
response.addCookie(createSession(buffer.toString(), reqtrans, domain));
|
createSession(response, buffer.toString(), reqtrans, domain);
|
||||||
}
|
}
|
||||||
} else if (reqtrans.getSession() == null) {
|
} else if (reqtrans.getSession() == null) {
|
||||||
response.addCookie(createSession("", reqtrans, domain));
|
createSession(response, "", reqtrans, domain);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Create a new session cookie.
|
* Create a new session cookie.
|
||||||
*
|
*
|
||||||
|
* @param response the servlet response
|
||||||
* @param prefix the session id prefix
|
* @param prefix the session id prefix
|
||||||
* @param reqtrans the request object
|
* @param reqtrans the request object
|
||||||
* @param domain the cookie domain
|
* @param domain the cookie domain
|
||||||
* @return the session cookie
|
|
||||||
*/
|
*/
|
||||||
private Cookie createSession(String prefix,
|
private void createSession(HttpServletResponse response,
|
||||||
RequestTrans reqtrans,
|
String prefix,
|
||||||
String domain) {
|
RequestTrans reqtrans,
|
||||||
|
String domain) {
|
||||||
Application app = getApplication();
|
Application app = getApplication();
|
||||||
String id = null;
|
String id = null;
|
||||||
while (id == null || app.getSession(id) != null) {
|
while (id == null || app.getSession(id) != null) {
|
||||||
|
|
@ -575,12 +576,20 @@ public abstract class AbstractServletClient extends HttpServlet {
|
||||||
}
|
}
|
||||||
|
|
||||||
reqtrans.setSession(id);
|
reqtrans.setSession(id);
|
||||||
Cookie cookie = new Cookie(sessionCookieName, id);
|
|
||||||
cookie.setPath("/");
|
|
||||||
if (domain != null)
|
|
||||||
cookie.setDomain(domain);
|
|
||||||
|
|
||||||
return cookie;
|
StringBuffer buffer = new StringBuffer(sessionCookieName);
|
||||||
|
buffer.append("=").append(id).append("; Path=/");
|
||||||
|
if (domain != null) {
|
||||||
|
// lowercase domain for IE
|
||||||
|
buffer.append("; Domain=").append(domain.toLowerCase());
|
||||||
|
}
|
||||||
|
if (!"false".equalsIgnoreCase(app.getProperty("httpOnlySessionCookie"))) {
|
||||||
|
buffer.append("; HttpOnly");
|
||||||
|
}
|
||||||
|
if ("true".equalsIgnoreCase(app.getProperty("secureSessionCookie"))) {
|
||||||
|
buffer.append("; Secure");
|
||||||
|
}
|
||||||
|
response.addHeader("Set-Cookie", buffer.toString());
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue