diff --git a/src/main/java/com/gitblit/GitBlitServer.java b/src/main/java/com/gitblit/GitBlitServer.java index d56d9c0c6..6123a872d 100644 --- a/src/main/java/com/gitblit/GitBlitServer.java +++ b/src/main/java/com/gitblit/GitBlitServer.java @@ -375,7 +375,8 @@ public void log(String message) { HashSessionManager sessionManager = new HashSessionManager(); sessionManager.setHttpOnly(true); // Use secure cookies if only serving https - sessionManager.setSecureRequestOnly(params.port <= 0 && params.securePort > 0); + sessionManager.setSecureRequestOnly( (params.port <= 0 && params.securePort > 0) || + (params.port > 0 && params.securePort > 0 && settings.getBoolean(Keys.server.redirectToHttpsPort, true)) ); rootContext.getSessionHandler().setSessionManager(sessionManager); // Ensure there is a defined User Service diff --git a/src/main/java/com/gitblit/manager/AuthenticationManager.java b/src/main/java/com/gitblit/manager/AuthenticationManager.java index 497876315..0a4d8ed72 100644 --- a/src/main/java/com/gitblit/manager/AuthenticationManager.java +++ b/src/main/java/com/gitblit/manager/AuthenticationManager.java @@ -608,6 +608,11 @@ public void setCookie(HttpServletRequest request, HttpServletResponse response, userCookie = new Cookie(Constants.NAME, cookie); // expire the cookie in 7 days userCookie.setMaxAge((int) TimeUnit.DAYS.toSeconds(7)); + + // Set cookies HttpOnly so they are not accessible to JavaScript engines + userCookie.setHttpOnly(true); + // Set secure cookie if only HTTPS is used + userCookie.setSecure(httpsOnly()); } } String path = "/"; @@ -622,6 +627,15 @@ public void setCookie(HttpServletRequest request, HttpServletResponse response, } } + + private boolean httpsOnly() { + int port = settings.getInteger(Keys.server.httpPort, 0); + int tlsPort = settings.getInteger(Keys.server.httpsPort, 0); + return (port <= 0 && tlsPort > 0) || + (port > 0 && tlsPort > 0 && settings.getBoolean(Keys.server.redirectToHttpsPort, true) ); + } + + /** * Logout a user. *