From ecc0c5b757c869b2b29c2419bf3bbf9b60f261b5 Mon Sep 17 00:00:00 2001 From: markt Date: Wed, 25 Aug 2010 11:36:38 +0000 Subject: [PATCH] Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=49749 git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@989019 13f79535-47bb-0310-9956-ffa450edef68 --- java/org/apache/catalina/authenticator/AuthenticatorBase.java | 6 ++++++ webapps/docs/changelog.xml | 6 +++++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/java/org/apache/catalina/authenticator/AuthenticatorBase.java b/java/org/apache/catalina/authenticator/AuthenticatorBase.java index a9b282bb3..8d4fe6b4f 100644 --- a/java/org/apache/catalina/authenticator/AuthenticatorBase.java +++ b/java/org/apache/catalina/authenticator/AuthenticatorBase.java @@ -796,6 +796,12 @@ public abstract class AuthenticatorBase extends ValveBase cookie.setDomain(ssoDomain); } + // Configure httpOnly on SSO cookie using same rules as session cookies + if (request.getServletContext().getSessionCookieConfig().isHttpOnly() || + request.getContext().getUseHttpOnly()) { + cookie.setHttpOnly(true); + } + response.addCookie(cookie); // Register this principal with our SSO valve diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 0f99d5e07..7b345f89f 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -61,7 +61,11 @@ processed. (markt) - 47950: Align WebappClassLoader.validate() + 49749: Single sign on cookies should have httpOnly flag set + using same rules as session cookies. (markt) + + + 49750: Align WebappClassLoader.validate() implementation with Javadoc and ensure that javax.servlet.* classes can not be loaded by a WebappClassLoader instance. Patch provided by pid. (markt) -- 2.11.0