Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=49749

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@989019 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/java/org/apache/catalina/authenticator/AuthenticatorBase.java b/java/org/apache/catalina/authenticator/AuthenticatorBase.java
index a9b282b..8d4fe6b 100644 (file)
--- a/java/org/apache/catalina/authenticator/AuthenticatorBase.java
+++ b/java/org/apache/catalina/authenticator/AuthenticatorBase.java
@@ -796,6 +796,12 @@ public abstract class AuthenticatorBase extends ValveBase
                 cookie.setDomain(ssoDomain);
             }
 
+            // Configure httpOnly on SSO cookie using same rules as session cookies
+            if (request.getServletContext().getSessionCookieConfig().isHttpOnly() ||
+                    request.getContext().getUseHttpOnly()) {
+                cookie.setHttpOnly(true);
+            }
+            
             response.addCookie(cookie);
 
             // Register this principal with our SSO valve

diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 0f99d5e..7b345f8 100644 (file)
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -61,7 +61,11 @@
         processed. (markt)
       </fix>
       <fix>
-        <bug>47950</bug>: Align <code>WebappClassLoader.validate()</code>
+        <bug>49749</bug>: Single sign on cookies should have httpOnly flag set
+        using same rules as session cookies. (markt)
+      </fix>
+      <fix>
+        <bug>49750</bug>: Align <code>WebappClassLoader.validate()</code>
         implementation with Javadoc and ensure that <code>javax.servlet.*</code>
         classes can not be loaded by a <code>WebappClassLoader</code> instance.
         Patch provided by pid. (markt)