public void setSessionAverageAliveTime(int sessionAverageAliveTime);
+ /**
+ * Gets the value of the use HttpOnly cookies for session cookies flag.
+ *
+ * @return <code>true</code> if the HttpOnly flag should be set on session
+ * cookies
+ */
+ public boolean getUseHttpOnly();
+
+
+ /**
+ * Sets the use HttpOnly cookies for session cookies flag.
+ *
+ * @param useHttpOnly Set to <code>true</code> to use HttpOnly cookies
+ * for session cookies
+ */
+ public void setUseHttpOnly(boolean useHttpOnly);
+
+
// --------------------------------------------------------- Public Methods
Cookie cookie = new Cookie(Globals.SESSION_COOKIE_NAME,
session.getIdInternal());
configureSessionCookie(cookie);
- response.addCookieInternal(cookie);
+ response.addCookieInternal(cookie, manager.getUseHttpOnly());
}
if (session != null) {
* @param cookie Cookie to be added
*/
public void addCookieInternal(final Cookie cookie) {
+ addCookieInternal(cookie, false);
+ }
+
+ /**
+ * Add the specified Cookie to those that will be included with
+ * this Response.
+ *
+ * @param cookie Cookie to be added
+ * @param httpOnly Should the httpOnly falg be set on this cookie
+ */
+ public void addCookieInternal(final Cookie cookie, final boolean httpOnly) {
if (isCommitted())
return;
(sb, cookie.getVersion(), cookie.getName(),
cookie.getValue(), cookie.getPath(),
cookie.getDomain(), cookie.getComment(),
- cookie.getMaxAge(), cookie.getSecure());
+ cookie.getMaxAge(), cookie.getSecure(),
+ httpOnly);
return null;
}
});
ServerCookie.appendCookieValue
(sb, cookie.getVersion(), cookie.getName(), cookie.getValue(),
cookie.getPath(), cookie.getDomain(), cookie.getComment(),
- cookie.getMaxAge(), cookie.getSecure());
+ cookie.getMaxAge(), cookie.getSecure(), httpOnly);
}
//if we reached here, no exception, cookie is valid
// the header name is Set-Cookie for both "old" and v.1 ( RFC2109 )
*/
protected PropertyChangeSupport support = new PropertyChangeSupport(this);
-
+ /**
+ * The flag that indicates that session cookies should use HttpOnly
+ */
+ protected boolean useHttpOnly = true;
+
// ------------------------------------------------------------- Security classes
}
+ /**
+ * Gets the value of the use HttpOnly cookies for session cookies flag.
+ *
+ * @return <code>true</code> if the HttpOnly flag should be set on session
+ * cookies
+ */
+ public boolean getUseHttpOnly() {
+ return useHttpOnly;
+ }
+
+
+ /**
+ * Sets the use HttpOnly cookies for session cookies flag.
+ *
+ * @param useHttpOnly Set to <code>true</code> to use HttpOnly cookies
+ * for session cookies
+ */
+ public void setUseHttpOnly(boolean useHttpOnly) {
+ this.useHttpOnly = useHttpOnly;
+ }
+
// --------------------------------------------------------- Public Methods
String domain,
String comment,
int maxAge,
- boolean isSecure )
+ boolean isSecure,
+ boolean isHttpOnly)
{
StringBuffer buf = new StringBuffer();
// Servlet implementation checks name
buf.append ("; Secure");
}
+ // HttpOnly
+ if (isHttpOnly) {
+ buf.append("; HttpOnly");
+ }
headerBuf.append(buf);
}
The default is 16.</p>
</attribute>
+ <attribute name="useHttpOnly" required="false">
+ <p>Should the HttpOnly flag be set on session cookies to prevent client
+ side script from accessing the session ID? Defaults to
+ <code>true</code>.</p>
+ </attribute>
+
</attributes>
<h3>Persistent Manager Implementation</h3>
The default is 16.</p>
</attribute>
+ <attribute name="useHttpOnly" required="false">
+ <p>Should the HttpOnly flag be set on session cookies to prevent client
+ side script from accessing the session ID? Defaults to
+ <code>true</code>.</p>
+ </attribute>
+
</attributes>
<p>In order to successfully use a PersistentManager, you must nest inside
projects / tomcat7.0 / commitdiff