From cf21c6cd897f87710f1540a6ba9b7923c340a073 Mon Sep 17 00:00:00 2001
From: markt <markt@13f79535-47bb-0310-9956-ffa450edef68>
Date: Sat, 13 Sep 2008 17:39:47 +0000
Subject: [PATCH] Add HttpOnly support to session cookies. It is enabled by
 default and can be disabled at via manager configuration. Based on a patch by
 Jim Manico.

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@694992 13f79535-47bb-0310-9956-ffa450edef68
---
 java/org/apache/catalina/Manager.java              | 18 +++++++++++++++
 java/org/apache/catalina/connector/Request.java    |  2 +-
 java/org/apache/catalina/connector/Response.java   | 16 +++++++++++--
 java/org/apache/catalina/session/ManagerBase.java  | 27 +++++++++++++++++++++-
 java/org/apache/tomcat/util/http/ServerCookie.java |  7 +++++-
 webapps/docs/config/manager.xml                    | 12 ++++++++++
 6 files changed, 77 insertions(+), 5 deletions(-)

diff --git a/java/org/apache/catalina/Manager.java b/java/org/apache/catalina/Manager.java
index 8c214ca83..51c24f62c 100644
--- a/java/org/apache/catalina/Manager.java
+++ b/java/org/apache/catalina/Manager.java
@@ -240,6 +240,24 @@ public interface Manager {
     public void setSessionAverageAliveTime(int sessionAverageAliveTime);
 
 
+    /**
+     * Gets the value of the use HttpOnly cookies for session cookies flag.
+     * 
+     * @return <code>true</code> if the HttpOnly flag should be set on session
+     *         cookies
+     */
+    public boolean getUseHttpOnly();
+
+
+    /**
+     * Sets the use HttpOnly cookies for session cookies flag.
+     * 
+     * @param useHttpOnly   Set to <code>true</code> to use HttpOnly cookies
+     *                          for session cookies
+     */
+    public void setUseHttpOnly(boolean useHttpOnly);
+
+
     // --------------------------------------------------------- Public Methods
 
 
diff --git a/java/org/apache/catalina/connector/Request.java b/java/org/apache/catalina/connector/Request.java
index b53d646b9..f92511f7f 100644
--- a/java/org/apache/catalina/connector/Request.java
+++ b/java/org/apache/catalina/connector/Request.java
@@ -2331,7 +2331,7 @@ public class Request
             Cookie cookie = new Cookie(Globals.SESSION_COOKIE_NAME,
                                        session.getIdInternal());
             configureSessionCookie(cookie);
-            response.addCookieInternal(cookie);
+            response.addCookieInternal(cookie, manager.getUseHttpOnly());
         }
 
         if (session != null) {
diff --git a/java/org/apache/catalina/connector/Response.java b/java/org/apache/catalina/connector/Response.java
index edea82f59..fa4213529 100644
--- a/java/org/apache/catalina/connector/Response.java
+++ b/java/org/apache/catalina/connector/Response.java
@@ -954,6 +954,17 @@ public class Response
      * @param cookie Cookie to be added
      */
     public void addCookieInternal(final Cookie cookie) {
+        addCookieInternal(cookie, false);
+    }
+
+    /**
+     * Add the specified Cookie to those that will be included with
+     * this Response.
+     *
+     * @param cookie    Cookie to be added
+     * @param httpOnly  Should the httpOnly falg be set on this cookie
+     */
+    public void addCookieInternal(final Cookie cookie, final boolean httpOnly) {
 
         if (isCommitted())
             return;
@@ -968,7 +979,8 @@ public class Response
                         (sb, cookie.getVersion(), cookie.getName(), 
                          cookie.getValue(), cookie.getPath(), 
                          cookie.getDomain(), cookie.getComment(), 
-                         cookie.getMaxAge(), cookie.getSecure());
+                         cookie.getMaxAge(), cookie.getSecure(),
+                         httpOnly);
                     return null;
                 }
             });
@@ -976,7 +988,7 @@ public class Response
             ServerCookie.appendCookieValue
                 (sb, cookie.getVersion(), cookie.getName(), cookie.getValue(),
                      cookie.getPath(), cookie.getDomain(), cookie.getComment(), 
-                     cookie.getMaxAge(), cookie.getSecure());
+                     cookie.getMaxAge(), cookie.getSecure(), httpOnly);
         }
         //if we reached here, no exception, cookie is valid
         // the header name is Set-Cookie for both "old" and v.1 ( RFC2109 )
diff --git a/java/org/apache/catalina/session/ManagerBase.java b/java/org/apache/catalina/session/ManagerBase.java
index ae71cf9dc..731ed991c 100644
--- a/java/org/apache/catalina/session/ManagerBase.java
+++ b/java/org/apache/catalina/session/ManagerBase.java
@@ -217,7 +217,11 @@ public abstract class ManagerBase implements Manager, MBeanRegistration {
      */
     protected PropertyChangeSupport support = new PropertyChangeSupport(this);
     
-    
+    /**
+     * The flag that indicates that session cookies should use HttpOnly
+     */
+    protected boolean useHttpOnly = true;
+
     // ------------------------------------------------------------- Security classes
 
 
@@ -655,6 +659,27 @@ public abstract class ManagerBase implements Manager, MBeanRegistration {
 
     }
 
+    /**
+     * Gets the value of the use HttpOnly cookies for session cookies flag.
+     * 
+     * @return <code>true</code> if the HttpOnly flag should be set on session
+     *         cookies
+     */
+    public boolean getUseHttpOnly() {
+        return useHttpOnly;
+    }
+
+
+    /**
+     * Sets the use HttpOnly cookies for session cookies flag.
+     * 
+     * @param useHttpOnly   Set to <code>true</code> to use HttpOnly cookies
+     *                          for session cookies
+     */
+    public void setUseHttpOnly(boolean useHttpOnly) {
+        this.useHttpOnly = useHttpOnly;
+    }
+    
     // --------------------------------------------------------- Public Methods
 
 
diff --git a/java/org/apache/tomcat/util/http/ServerCookie.java b/java/org/apache/tomcat/util/http/ServerCookie.java
index b15c4328c..7a93fa2a2 100644
--- a/java/org/apache/tomcat/util/http/ServerCookie.java
+++ b/java/org/apache/tomcat/util/http/ServerCookie.java
@@ -257,7 +257,8 @@ public class ServerCookie implements Serializable {
                                           String domain,
                                           String comment,
                                           int maxAge,
-                                          boolean isSecure )
+                                          boolean isSecure,
+                                          boolean isHttpOnly)
     {
         StringBuffer buf = new StringBuffer();
         // Servlet implementation checks name
@@ -321,6 +322,10 @@ public class ServerCookie implements Serializable {
           buf.append ("; Secure");
         }
         
+        // HttpOnly
+        if (isHttpOnly) {
+            buf.append("; HttpOnly");
+        }
         headerBuf.append(buf);
     }
 
diff --git a/webapps/docs/config/manager.xml b/webapps/docs/config/manager.xml
index 5ed3a4064..5df2640ec 100644
--- a/webapps/docs/config/manager.xml
+++ b/webapps/docs/config/manager.xml
@@ -157,6 +157,12 @@
         The default is 16.</p>
       </attribute>
 
+      <attribute name="useHttpOnly" required="false">
+       <p>Should the HttpOnly flag be set on session cookies to prevent client
+          side script from accessing the session ID? Defaults to
+          <code>true</code>.</p>
+      </attribute>
+
     </attributes>
 
     <h3>Persistent Manager Implementation</h3>
@@ -264,6 +270,12 @@
         The default is 16.</p>
       </attribute>
 
+      <attribute name="useHttpOnly" required="false">
+       <p>Should the HttpOnly flag be set on session cookies to prevent client
+          side script from accessing the session ID? Defaults to
+          <code>true</code>.</p>
+      </attribute>
+
     </attributes>
 
     <p>In order to successfully use a PersistentManager, you must nest inside
-- 
2.11.0