Summary: | o.a.c.h.s.JvmRouteBinderValve doesn't set HttpOnly flag to session Cookie. | ||
---|---|---|---|
Product: | Tomcat 5 | Reporter: | Keiichi Fujino <fujino.keiichi> |
Component: | Catalina:Cluster | Assignee: | Tomcat Developers Mailing List <dev> |
Status: | RESOLVED FIXED | ||
Severity: | normal | ||
Priority: | P2 | ||
Version: | 5.5.28 | ||
Target Milestone: | --- | ||
Hardware: | All | ||
OS: | All | ||
Attachments: |
JvmRouteBinderValve For Tomcat6_trunk
JvmRouteBinderValve For Tomcat_trunk Update patch for 6.0.x |
Description
Keiichi Fujino
2009-07-21 03:16:41 UTC
Created attachment 24013 [details]
JvmRouteBinderValve For Tomcat6_trunk
This patch for Tomcat6(tomcat/tc6.0.x/trunk/).
This patch uses response.addCookieInternal(Cookie, boolean).
Created attachment 24014 [details]
JvmRouteBinderValve For Tomcat_trunk
This patch for Tomcat7 or later (tomcat/trunk/).
This patch uses javax.servlet.SessionCookieConfig.
(It has not been implemented yet now ? I tried to make a patch.)
It is similar to org.apache.catalina.connector.Request#configureSessionCookie.
I reproduced this case. [configuration] Clustering by TomcatA and TomcatB Both TomcatA and TomcatB set <Context useHttpOnly="true" />. Both TomcatA and TomcatB set JvmRouteBinderValve. [Test] accesses TomcatA. (create session.) accesses TomcatB. (session id is changed by JvmRouteBinderValve. ) At the above test, value of the Set-Cookie header was acquired by using RequestDumperValve. It is as follows. [Before changing session ID] ... Jul 27, 2009 6:39:55 PM org.apache.catalina.valves.RequestDumperValve invoke INFO: header=Set-Cookie=JSESSIONID=327B246DA102027AB0860AE512169236.ajp13w; Path=/test; HttpOnly ... This means HttpOnly is set. [After changing session ID by JvmRouteBinderValve] ... Jul 27, 2009 6:40:05 PM org.apache.catalina.valves.RequestDumperValve invoke INFO: header=Set-Cookie=JSESSIONID=327B246DA102027AB0860AE512169236.ajp13w2; Path=/test ... This means HttpOnly is not set. Therefore, When session ID is changed by JvmRouteBinderValve, HttpOnly is not set to the Set-Cookie header. Best Regards. Created attachment 24585 [details]
Update patch for 6.0.x
The provided patch for 6.0.x doe snot update the debug log message. An updated patch is attached which will be proposed for 6.0.x and 5.5.x
The patch has been applied to 6.0.x and will be included in 6.0.21 onwards This has been fixed for 5.5.x and will be included in 5.5.29 onwards. |