From 90a8d1af6c202c8efcca5a0fdaf341494cb0b8eb Mon Sep 17 00:00:00 2001
From: Florian Zschocke <florian.zschocke@devolo.de>
Date: Sat, 10 Dec 2016 10:57:45 +0100
Subject: [PATCH 1/2] Set secure user cookies and only for HTTP.

Mark the user authentication cookie to be only used for HTTP, making
it inaccessible for JavaScript engines.


If only HTTPS is used and no HTTP (i.e. also if HTTP is redirected to
HTTPS) then mark the user cookie to be sent only over secure connections.
---
 .../com/gitblit/manager/AuthenticationManager.java | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/src/main/java/com/gitblit/manager/AuthenticationManager.java b/src/main/java/com/gitblit/manager/AuthenticationManager.java
index 497876315..0a4d8ed72 100644
--- a/src/main/java/com/gitblit/manager/AuthenticationManager.java
+++ b/src/main/java/com/gitblit/manager/AuthenticationManager.java
@@ -608,6 +608,11 @@ public void setCookie(HttpServletRequest request, HttpServletResponse response,
 						userCookie = new Cookie(Constants.NAME, cookie);
 						// expire the cookie in 7 days
 						userCookie.setMaxAge((int) TimeUnit.DAYS.toSeconds(7));
+
+						// Set cookies HttpOnly so they are not accessible to JavaScript engines
+						userCookie.setHttpOnly(true);
+						// Set secure cookie if only HTTPS is used
+						userCookie.setSecure(httpsOnly());
 					}
 				}
 				String path = "/";
@@ -622,6 +627,15 @@ public void setCookie(HttpServletRequest request, HttpServletResponse response,
 		}
 	}
 
+
+	private boolean httpsOnly() {
+		int port = settings.getInteger(Keys.server.httpPort, 0);
+		int tlsPort = settings.getInteger(Keys.server.httpsPort, 0);
+		return  (port <= 0 && tlsPort > 0) ||
+				(port > 0 && tlsPort > 0 && settings.getBoolean(Keys.server.redirectToHttpsPort, true) );
+	}
+
+
 	/**
 	 * Logout a user.
 	 *

From 60099a42faf7c34edb4651253cdb1a7723fbf029 Mon Sep 17 00:00:00 2001
From: Florian Zschocke <florian.zschocke@devolo.de>
Date: Sat, 10 Dec 2016 11:30:28 +0100
Subject: [PATCH 2/2] Set secure session cookies when redirecting from HTTP to
 HTTPS.

So far for session cookies the secure property was only set when no
HTTP port was opened. This changes to also set it when HTTP is redirected
to the HTTPS port.
---
 src/main/java/com/gitblit/GitBlitServer.java | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/main/java/com/gitblit/GitBlitServer.java b/src/main/java/com/gitblit/GitBlitServer.java
index d56d9c0c6..6123a872d 100644
--- a/src/main/java/com/gitblit/GitBlitServer.java
+++ b/src/main/java/com/gitblit/GitBlitServer.java
@@ -375,7 +375,8 @@ public void log(String message) {
 		HashSessionManager sessionManager = new HashSessionManager();
 		sessionManager.setHttpOnly(true);
 		// Use secure cookies if only serving https
-		sessionManager.setSecureRequestOnly(params.port <= 0 && params.securePort > 0);
+		sessionManager.setSecureRequestOnly( (params.port <= 0 && params.securePort > 0) ||
+				(params.port > 0 && params.securePort > 0 && settings.getBoolean(Keys.server.redirectToHttpsPort, true)) );
 		rootContext.getSessionHandler().setSessionManager(sessionManager);
 
 		// Ensure there is a defined User Service