Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » Remote Application Platform (RAP) » HttpOnly flag for settingStore cookie
HttpOnly flag for settingStore cookie [message #1059702] Tue, 21 May 2013 09:41 Go to next message
Yury Mising name is currently offline Yury Mising name
Messages: 95
Registered: May 2010
Location: Russia
Member
Is it possible to set httpOnly flag for settingStore cookie and provide this fix with RAP 2.1?

private String getStoreId() {
    UISession uiSession = ContextProvider.getUISession();
    // 1. storeId stored in session? (implies cookie exists)
    String result = ( String )uiSession.getAttribute( COOKIE_NAME );
    if( result == null ) {
      // 2. storeId stored in cookie?
      result = getStoreIdFromCookie();
      if( result == null ) {
        // 3. create new storeId
        result = createUniqueStoreId();
      }
      // (2+3) do refresh cookie, to ensure it expires in COOKIE_MAX_AGE_SEC
      Cookie cookie = new Cookie( COOKIE_NAME, result );
      cookie.setSecure( RWT.getRequest().isSecure() );
      cookie.setMaxAge( COOKIE_MAX_AGE_SEC );
      cookie.setHttpOnly( true );
      ContextProvider.getResponse().addCookie( cookie );
      // (2+3) update storeId stored in session
      // Note: This attribute must be checked for validity to prevent attacks
      // like http://www.owasp.org/index.php/Cross-User_Defacement
      uiSession.setAttribute( COOKIE_NAME, result );
    }
    return result;
  }


Best regards,
Yury.

[Updated on: Tue, 21 May 2013 09:42]

Report message to a moderator

Re: HttpOnly flag for settingStore cookie [message #1059839 is a reply to message #1059702] Tue, 21 May 2013 20:16 Go to previous messageGo to next message
Ralf Sternberg is currently offline Ralf Sternberg
Messages: 1290
Registered: July 2009
Senior Member

If you like to request a change in RAP, please open an enhancement
request [1] and explain why this change is needed. For 2.1, it's too
late for changes unless it's a severe issue.

Regards, Ralf

[1] http://eclipse.org/rap/bugs/

--
Ralf Sternberg

Twitter: @EclipseRAP
Blog: http://eclipsesource.com/blogs/

Professional services for RAP and RCP?
http://eclipsesource.com/services/rap/
Re: HttpOnly flag for settingStore cookie [message #1059880 is a reply to message #1059839] Wed, 22 May 2013 05:31 Go to previous message
Yury Mising name is currently offline Yury Mising name
Messages: 95
Registered: May 2010
Location: Russia
Member
Thank you, Ralf. I have reported the https://bugs.eclipse.org/bugs/show_bug.cgi?id=408656

Best regards,
Yury.
Previous Topic:Assembling RAP 1.5 application with Maven
Next Topic:Infocenter as a WAR
Goto Forum:
  


Current Time: Tue Sep 16 21:42:28 GMT 2014

Powered by FUDForum. Page generated in 0.01614 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software