Bug 47554 - o.a.c.h.s.JvmRouteBinderValve doesn't set HttpOnly flag to session Cookie.
Summary: o.a.c.h.s.JvmRouteBinderValve doesn't set HttpOnly flag to session Cookie.
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 5
Classification: Unclassified
Component: Catalina:Cluster (show other bugs)
Version: 5.5.28
Hardware: All All
: P2 normal (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-07-21 03:16 UTC by Keiichi Fujino
Modified: 2010-01-30 11:30 UTC (History)
0 users



Attachments
JvmRouteBinderValve For Tomcat6_trunk (631 bytes, text/plain)
2009-07-21 03:19 UTC, Keiichi Fujino
Details
JvmRouteBinderValve For Tomcat_trunk (2.95 KB, text/plain)
2009-07-21 03:20 UTC, Keiichi Fujino
Details
Update patch for 6.0.x (3.48 KB, application/octet-stream)
2009-11-22 14:15 UTC, Mark Thomas
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Keiichi Fujino 2009-07-21 03:16:41 UTC
When session ID is changed with o.a.c.h.s.JvmRouteBinderValve, 
HttpOnly flag is not set to the session cookie newly made.

The cause is in the following o.a.c.h.s.JvmRouteBinderValve#setNewSessionCookie's codes. 

protected void setNewSessionCookie(Request request,
        Response response, String sessionId) {
    if (response != null) {
        Context context = request.getContext();
        if (context.getCookies()) {
            // set a new session cookie
            Cookie newCookie = new Cookie(Globals.SESSION_COOKIE_NAME,
                    sessionId);
            newCookie.setMaxAge(-1);
            String contextPath = null;
            if (!response.getConnector().getEmptySessionPath()
                    && (context != null)) {
                contextPath = context.getEncodedPath();
            }
            if ((contextPath != null) && (contextPath.length() > 0)) {
                newCookie.setPath(contextPath);
            } else {
                newCookie.setPath("/");
            }
            if (request.isSecure()) {
                newCookie.setSecure(true);
            }
            if (log.isDebugEnabled()) {
                log.debug(sm.getString("jvmRoute.newSessionCookie",
                        sessionId, Globals.SESSION_COOKIE_NAME, newCookie
                                .getPath(), new Boolean(newCookie
                                .getSecure())));
            }
            response.addCookie(newCookie);
        }
    }
}

HttpOnly flag is never set to Cookie regardless of the value of context.getUseHttpOnly().
When context.getUseHttpOnly() is set to true, it is necessary to set HttpOnly to Cookie. 

I made two patches.

The first is a patch for Tomcat6(tomcat/tc6.0.x/trunk/).
This patch uses response.addCookieInternal(Cookie, boolean).

The second is a patch for Tomcat7 or later (tomcat/trunk/).
This patch uses javax.servlet.SessionCookieConfig.
(It has not been implemented yet now ? I tried to make a patch.)
It is similar to org.apache.catalina.connector.Request#configureSessionCookie.

Best regards.
Comment 1 Keiichi Fujino 2009-07-21 03:19:52 UTC
Created attachment 24013 [details]
JvmRouteBinderValve For Tomcat6_trunk

This patch for Tomcat6(tomcat/tc6.0.x/trunk/).
This patch uses response.addCookieInternal(Cookie, boolean).
Comment 2 Keiichi Fujino 2009-07-21 03:20:51 UTC
Created attachment 24014 [details]
JvmRouteBinderValve For Tomcat_trunk

This patch for Tomcat7 or later (tomcat/trunk/).
This patch uses javax.servlet.SessionCookieConfig.
(It has not been implemented yet now ? I tried to make a patch.)
It is similar to org.apache.catalina.connector.Request#configureSessionCookie.
Comment 3 Keiichi Fujino 2009-07-27 02:57:54 UTC
I reproduced this case. 

[configuration]
Clustering by TomcatA and TomcatB
Both TomcatA and TomcatB set <Context useHttpOnly="true" />.
Both TomcatA and TomcatB set JvmRouteBinderValve. 
[Test]
accesses TomcatA. (create session.)
accesses TomcatB. (session id is changed by JvmRouteBinderValve. )

At the above test, value of the Set-Cookie header was acquired by using RequestDumperValve.
It is as follows. 

[Before changing session ID]
...
Jul 27, 2009 6:39:55 PM org.apache.catalina.valves.RequestDumperValve invoke
INFO:             header=Set-Cookie=JSESSIONID=327B246DA102027AB0860AE512169236.ajp13w; Path=/test; HttpOnly
...

This means HttpOnly is set.


[After changing session ID by JvmRouteBinderValve]
...
Jul 27, 2009 6:40:05 PM org.apache.catalina.valves.RequestDumperValve invoke
INFO:             header=Set-Cookie=JSESSIONID=327B246DA102027AB0860AE512169236.ajp13w2; Path=/test
...

This means HttpOnly is not set.

Therefore,
When session ID is changed by JvmRouteBinderValve, HttpOnly is not set to the Set-Cookie header. 

Best Regards.
Comment 4 Mark Thomas 2009-11-22 14:07:11 UTC
This was fixed in trunk in r802146
Comment 5 Mark Thomas 2009-11-22 14:15:02 UTC
Created attachment 24585 [details]
Update patch for 6.0.x

The provided patch for 6.0.x doe snot update the debug log message. An updated patch is attached which will be proposed for 6.0.x and 5.5.x
Comment 6 Mark Thomas 2009-12-16 08:45:44 UTC
The patch has been applied to 6.0.x and will be included in 6.0.21 onwards
Comment 7 Mark Thomas 2010-01-30 11:30:27 UTC
This has been fixed for 5.5.x and will be included in 5.5.29 onwards.