Add support for secure and HttpOnly session cookies, with HttpOnly being enabled by default. The features are controlled through the httpOnlySessionCookie and secureSessionCookie app properties. We now compose and set the session cookie ourselves as this is the only reliable way to do it in a cross-servlet-container compatible way and without adding dependencies to the servlet container.

2008-10-16 12:15:42 +00:00 · 2008-10-16 12:15:42 +00:00 · 4cdc177964
commit 4cdc177964
parent 5217132767
1 changed files with 20 additions and 11 deletions
--- a/src/helma/servlet/AbstractServletClient.java
+++ b/src/helma/servlet/AbstractServletClient.java
@ -545,22 +545,23 @@ public abstract class AbstractServletClient extends HttpServlet {
            addIPAddress(buffer, request.getHeader("X-Forwarded-For"));
            addIPAddress(buffer, request.getHeader("Client-ip"));
            if (reqtrans.getSession() == null || !reqtrans.getSession().startsWith(buffer.toString())) {
-                response.addCookie(createSession(buffer.toString(), reqtrans, domain));
+                createSession(response, buffer.toString(), reqtrans, domain);
            }
        } else if (reqtrans.getSession() == null) {
-            response.addCookie(createSession("", reqtrans, domain));
+            createSession(response, "", reqtrans, domain);
        }
    }

    /**
     * Create a new session cookie.
     *
+     * @param response the servlet response
     * @param prefix the session id prefix
     * @param reqtrans the request object
     * @param domain the cookie domain
-     * @return the session cookie
     */
-    private Cookie createSession(String prefix,
+    private void createSession(HttpServletResponse response,
+                               String prefix,
                               RequestTrans reqtrans,
                               String domain) {
        Application app = getApplication();
@ -575,12 +576,20 @@ public abstract class AbstractServletClient extends HttpServlet {
        }

        reqtrans.setSession(id);
-        Cookie cookie = new Cookie(sessionCookieName, id);
-        cookie.setPath("/");
-        if (domain != null)
-            cookie.setDomain(domain);

-        return cookie;
+        StringBuffer buffer = new StringBuffer(sessionCookieName);
+        buffer.append("=").append(id).append("; Path=/");
+        if (domain != null) {
+            // lowercase domain for IE
+            buffer.append("; Domain=").append(domain.toLowerCase());
+        }
+        if (!"false".equalsIgnoreCase(app.getProperty("httpOnlySessionCookie"))) {
+            buffer.append("; HttpOnly");
+        }
+        if ("true".equalsIgnoreCase(app.getProperty("secureSessionCookie"))) {
+            buffer.append("; Secure");
+        }
+        response.addHeader("Set-Cookie", buffer.toString());
    }

    /**