Merge pull request #1167 from fzs/secureCookies

gitblit · web-flow · commit 4ece397d7149 · 2016-12-14T17:01:10.000-05:00
Secure cookies
diff --git a/src/main/java/com/gitblit/GitBlitServer.java b/src/main/java/com/gitblit/GitBlitServer.java
@@ -375,7 +375,8 @@ public void log(String message) {
 		HashSessionManager sessionManager = new HashSessionManager();
 		sessionManager.setHttpOnly(true);
 		// Use secure cookies if only serving https
-		sessionManager.setSecureRequestOnly(params.port <= 0 && params.securePort > 0);
+		sessionManager.setSecureRequestOnly( (params.port <= 0 && params.securePort > 0) ||
+				(params.port > 0 && params.securePort > 0 && settings.getBoolean(Keys.server.redirectToHttpsPort, true)) );
 		rootContext.getSessionHandler().setSessionManager(sessionManager);
 
 		// Ensure there is a defined User Service
diff --git a/src/main/java/com/gitblit/manager/AuthenticationManager.java b/src/main/java/com/gitblit/manager/AuthenticationManager.java
@@ -608,6 +608,11 @@ public void setCookie(HttpServletRequest request, HttpServletResponse response,
 						userCookie = new Cookie(Constants.NAME, cookie);
 						// expire the cookie in 7 days
 						userCookie.setMaxAge((int) TimeUnit.DAYS.toSeconds(7));
+
+						// Set cookies HttpOnly so they are not accessible to JavaScript engines
+						userCookie.setHttpOnly(true);
+						// Set secure cookie if only HTTPS is used
+						userCookie.setSecure(httpsOnly());
 					}
 				}
 				String path = "/";
@@ -622,6 +627,15 @@ public void setCookie(HttpServletRequest request, HttpServletResponse response,
 		}
 	}
 
+
+	private boolean httpsOnly() {
+		int port = settings.getInteger(Keys.server.httpPort, 0);
+		int tlsPort = settings.getInteger(Keys.server.httpsPort, 0);
+		return  (port <= 0 && tlsPort > 0) ||
+				(port > 0 && tlsPort > 0 && settings.getBoolean(Keys.server.redirectToHttpsPort, true) );
+	}
+
+
 	/**
 	 * Logout a user.
 	 *

Original file line number	Diff line number	Diff line change
`@@ -608,6 +608,11 @@ public void setCookie(HttpServletRequest request, HttpServletResponse response,`
`608`	`608`	`userCookie = new Cookie(Constants.NAME, cookie);`
`609`	`609`	`// expire the cookie in 7 days`
`610`	`610`	`userCookie.setMaxAge((int) TimeUnit.DAYS.toSeconds(7));`
	`611`	`+`
	`612`	`+ // Set cookies HttpOnly so they are not accessible to JavaScript engines`
	`613`	`+ userCookie.setHttpOnly(true);`
	`614`	`+ // Set secure cookie if only HTTPS is used`
	`615`	`+ userCookie.setSecure(httpsOnly());`
`611`	`616`	`}`
`612`	`617`	`}`
`613`	`618`	`String path = "/";`
`@@ -622,6 +627,15 @@ public void setCookie(HttpServletRequest request, HttpServletResponse response,`
`622`	`627`	`}`
`623`	`628`	`}`
`624`	`629`
	`630`	`+`
	`631`	`+ private boolean httpsOnly() {`
	`632`	`+ int port = settings.getInteger(Keys.server.httpPort, 0);`
	`633`	`+ int tlsPort = settings.getInteger(Keys.server.httpsPort, 0);`
	`634`	`+ return (port <= 0 && tlsPort > 0) \|\|`
	`635`	`+ (port > 0 && tlsPort > 0 && settings.getBoolean(Keys.server.redirectToHttpsPort, true) );`
	`636`	`+ }`
	`637`	`+`
	`638`	`+`
`625`	`639`	`/**`
`626`	`640`	`* Logout a user.`
`627`	`641`	`*`