From c468e8e8651ded64c017d482611ef52ad2ba8b35 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tobi=20Sch=C3=A4fer?= <interface@p3k.org>
Date: Fri, 9 Dec 2016 23:49:23 +0100
Subject: [PATCH] add: support for httponly and secure cookies

---
 src/helma/framework/CookieTrans.java         | 21 ++++++++++++++++++++
 src/helma/framework/ResponseTrans.java       |  8 ++++++++
 src/helma/servlet/AbstractServletClient.java |  4 ++--
 3 files changed, 31 insertions(+), 2 deletions(-)

diff --git a/src/helma/framework/CookieTrans.java b/src/helma/framework/CookieTrans.java
index 6c4a3a41..537c9610 100644
--- a/src/helma/framework/CookieTrans.java
+++ b/src/helma/framework/CookieTrans.java
@@ -29,6 +29,8 @@ public final class CookieTrans implements Serializable {
     String path;
     String domain;
     int days = -1;
+    boolean secure;
+    boolean httpOnly;
 
     CookieTrans(String name, String value) {
         this.name = name;
@@ -96,6 +98,22 @@ public final class CookieTrans implements Serializable {
         return domain;
     }
 
+    public boolean isSecure() {
+        return secure;
+    }
+
+    void isSecure(boolean secure) {
+        this.secure = secure;
+    }
+
+    public boolean isHttpOnly() {
+        return httpOnly;
+    }
+
+    void isHttpOnly(boolean httpOnly) {
+        this.httpOnly = httpOnly;
+    }
+
     /**
      *
      *
@@ -127,6 +145,9 @@ public final class CookieTrans implements Serializable {
             c.setDomain(defaultDomain);
         }
 
+        c.setHttpOnly(httpOnly);
+        c.setSecure(secure);
+
         return c;
     }
 }
diff --git a/src/helma/framework/ResponseTrans.java b/src/helma/framework/ResponseTrans.java
index d8e51c61..4ec26c70 100644
--- a/src/helma/framework/ResponseTrans.java
+++ b/src/helma/framework/ResponseTrans.java
@@ -999,6 +999,14 @@ public final class ResponseTrans extends Writer implements Serializable {
         c.setDays(days);
         c.setPath(path);
         c.setDomain(domain);
+
+        if (!"false".equalsIgnoreCase(app.getProperty("cookies.httpOnly"))) {
+            c.isHttpOnly(true);
+        }
+
+        if ("true".equalsIgnoreCase(app.getProperty("cookies.secure"))) {
+            c.isSecure(true);
+        }
     }
 
     /**
diff --git a/src/helma/servlet/AbstractServletClient.java b/src/helma/servlet/AbstractServletClient.java
index c63f42c7..a11581d9 100644
--- a/src/helma/servlet/AbstractServletClient.java
+++ b/src/helma/servlet/AbstractServletClient.java
@@ -589,10 +589,10 @@ public abstract class AbstractServletClient extends HttpServlet {
             // lowercase domain for IE
             buffer.append("; Domain=").append(domain.toLowerCase());
         }
-        if (!"false".equalsIgnoreCase(app.getProperty("httpOnlySessionCookie"))) {
+        if (!"false".equalsIgnoreCase(app.getProperty("cookies.httpOnly"))) {
             buffer.append("; HttpOnly");
         }
-        if ("true".equalsIgnoreCase(app.getProperty("secureSessionCookie"))) {
+        if ("true".equalsIgnoreCase(app.getProperty("cookies.secure"))) {
             buffer.append("; Secure");
         }
         response.addHeader("Set-Cookie", buffer.toString());