From: markt Date: Wed, 25 Aug 2010 11:36:38 +0000 (+0000) Subject: Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=49749 X-Git-Url: https://git.internetallee.de/?a=commitdiff_plain;h=ecc0c5b757c869b2b29c2419bf3bbf9b60f261b5;p=tomcat7.0 Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=49749 git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@989019 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/java/org/apache/catalina/authenticator/AuthenticatorBase.java b/java/org/apache/catalina/authenticator/AuthenticatorBase.java index a9b282bb3..8d4fe6b4f 100644 --- a/java/org/apache/catalina/authenticator/AuthenticatorBase.java +++ b/java/org/apache/catalina/authenticator/AuthenticatorBase.java @@ -796,6 +796,12 @@ public abstract class AuthenticatorBase extends ValveBase cookie.setDomain(ssoDomain); } + // Configure httpOnly on SSO cookie using same rules as session cookies + if (request.getServletContext().getSessionCookieConfig().isHttpOnly() || + request.getContext().getUseHttpOnly()) { + cookie.setHttpOnly(true); + } + response.addCookie(cookie); // Register this principal with our SSO valve diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 0f99d5e07..7b345f89f 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -61,7 +61,11 @@ processed. (markt) - 47950: Align WebappClassLoader.validate() + 49749: Single sign on cookies should have httpOnly flag set + using same rules as session cookies. (markt) + + + 49750: Align WebappClassLoader.validate() implementation with Javadoc and ensure that javax.servlet.* classes can not be loaded by a WebappClassLoader instance. Patch provided by pid. (markt)