From: fhanik Date: Thu, 5 Mar 2009 00:34:29 +0000 (+0000) Subject: Make the useHttpOnly a Context attribute X-Git-Url: https://git.internetallee.de/?a=commitdiff_plain;h=7cb634e9b16d531092f77e15a0eb2e45a9953bdc;p=tomcat7.0 Make the useHttpOnly a Context attribute git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@750257 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/java/org/apache/catalina/Context.java b/java/org/apache/catalina/Context.java index 7a4096cab..0727b7a03 100644 --- a/java/org/apache/catalina/Context.java +++ b/java/org/apache/catalina/Context.java @@ -181,8 +181,24 @@ public interface Context extends Container { */ public void setCookies(boolean cookies); + /** + * Gets the value of the use HttpOnly cookies for session cookies flag. + * + * @return true if the HttpOnly flag should be set on session + * cookies + */ + public boolean getUseHttpOnly(); + /** + * Sets the use HttpOnly cookies for session cookies flag. + * + * @param useHttpOnly Set to true to use HttpOnly cookies + * for session cookies + */ + public void setUseHttpOnly(boolean useHttpOnly); + + /** * Return the "allow crossing servlet contexts" flag. */ public boolean getCrossContext(); diff --git a/java/org/apache/catalina/Manager.java b/java/org/apache/catalina/Manager.java index 51c24f62c..8c214ca83 100644 --- a/java/org/apache/catalina/Manager.java +++ b/java/org/apache/catalina/Manager.java @@ -240,24 +240,6 @@ public interface Manager { public void setSessionAverageAliveTime(int sessionAverageAliveTime); - /** - * Gets the value of the use HttpOnly cookies for session cookies flag. - * - * @return true if the HttpOnly flag should be set on session - * cookies - */ - public boolean getUseHttpOnly(); - - - /** - * Sets the use HttpOnly cookies for session cookies flag. - * - * @param useHttpOnly Set to true to use HttpOnly cookies - * for session cookies - */ - public void setUseHttpOnly(boolean useHttpOnly); - - // --------------------------------------------------------- Public Methods diff --git a/java/org/apache/catalina/connector/Request.java b/java/org/apache/catalina/connector/Request.java index a9c379e48..67c49df98 100644 --- a/java/org/apache/catalina/connector/Request.java +++ b/java/org/apache/catalina/connector/Request.java @@ -2455,7 +2455,7 @@ public class Request } if ((scc != null && scc.isHttpOnly()) || - context.getManager().getUseHttpOnly()) { + context.getUseHttpOnly()) { cookie.setHttpOnly(true); } diff --git a/java/org/apache/catalina/core/StandardContext.java b/java/org/apache/catalina/core/StandardContext.java index 9acef0aa1..f82f35ad5 100644 --- a/java/org/apache/catalina/core/StandardContext.java +++ b/java/org/apache/catalina/core/StandardContext.java @@ -700,6 +700,13 @@ public class StandardContext */ private boolean saveConfig = true; + /** + * The flag that indicates that session cookies should use HttpOnly + */ + private boolean useHttpOnly = true; + + + // ----------------------------------------------------- Context Properties @@ -1114,6 +1121,33 @@ public class StandardContext new Boolean(this.cookies)); } + + /** + * Gets the value of the use HttpOnly cookies for session cookies flag. + * + * @return true if the HttpOnly flag should be set on session + * cookies + */ + public boolean getUseHttpOnly() { + return useHttpOnly; + } + + + /** + * Sets the use HttpOnly cookies for session cookies flag. + * + * @param useHttpOnly Set to true to use HttpOnly cookies + * for session cookies + */ + public void setUseHttpOnly(boolean useHttpOnly) { + boolean oldUseHttpOnly = this.useHttpOnly; + this.useHttpOnly = useHttpOnly; + support.firePropertyChange("useHttpOnly", + new Boolean(oldUseHttpOnly), + new Boolean(this.useHttpOnly)); + } + + /** diff --git a/java/org/apache/catalina/session/ManagerBase.java b/java/org/apache/catalina/session/ManagerBase.java index 8f5749fcc..9a46d24e2 100644 --- a/java/org/apache/catalina/session/ManagerBase.java +++ b/java/org/apache/catalina/session/ManagerBase.java @@ -217,10 +217,6 @@ public abstract class ManagerBase implements Manager, MBeanRegistration { */ protected PropertyChangeSupport support = new PropertyChangeSupport(this); - /** - * The flag that indicates that session cookies should use HttpOnly - */ - protected boolean useHttpOnly = true; // ------------------------------------------------------------- Security classes @@ -658,28 +654,6 @@ public abstract class ManagerBase implements Manager, MBeanRegistration { new Integer(this.processExpiresFrequency)); } - - /** - * Gets the value of the use HttpOnly cookies for session cookies flag. - * - * @return true if the HttpOnly flag should be set on session - * cookies - */ - public boolean getUseHttpOnly() { - return useHttpOnly; - } - - - /** - * Sets the use HttpOnly cookies for session cookies flag. - * - * @param useHttpOnly Set to true to use HttpOnly cookies - * for session cookies - */ - public void setUseHttpOnly(boolean useHttpOnly) { - this.useHttpOnly = useHttpOnly; - } - // --------------------------------------------------------- Public Methods diff --git a/webapps/docs/config/context.xml b/webapps/docs/config/context.xml index 088acd1b6..90f22f427 100644 --- a/webapps/docs/config/context.xml +++ b/webapps/docs/config/context.xml @@ -229,6 +229,13 @@ implementation class that will be used for servlets managed by this Context. If not specified, a standard default value will be used.

+ + +

Should the HttpOnly flag be set on session cookies to prevent client + side script from accessing the session ID? Defaults to + true.

+ + diff --git a/webapps/docs/config/manager.xml b/webapps/docs/config/manager.xml index 5df2640ec..321bd1713 100644 --- a/webapps/docs/config/manager.xml +++ b/webapps/docs/config/manager.xml @@ -157,12 +157,6 @@ The default is 16.

- -

Should the HttpOnly flag be set on session cookies to prevent client - side script from accessing the session ID? Defaults to - true.

- -

Persistent Manager Implementation