HttpOnly flag for settingStore cookie [message #1059702] |
Tue, 21 May 2013 09:41 |
Yury Mising name Messages: 95 Registered: May 2010 Location: Russia |
Member |
|
|
Is it possible to set httpOnly flag for settingStore cookie and provide this fix with RAP 2.1?
private String getStoreId() {
UISession uiSession = ContextProvider.getUISession();
// 1. storeId stored in session? (implies cookie exists)
String result = ( String )uiSession.getAttribute( COOKIE_NAME );
if( result == null ) {
// 2. storeId stored in cookie?
result = getStoreIdFromCookie();
if( result == null ) {
// 3. create new storeId
result = createUniqueStoreId();
}
// (2+3) do refresh cookie, to ensure it expires in COOKIE_MAX_AGE_SEC
Cookie cookie = new Cookie( COOKIE_NAME, result );
cookie.setSecure( RWT.getRequest().isSecure() );
cookie.setMaxAge( COOKIE_MAX_AGE_SEC );
cookie.setHttpOnly( true );
ContextProvider.getResponse().addCookie( cookie );
// (2+3) update storeId stored in session
// Note: This attribute must be checked for validity to prevent attacks
// like http://www.owasp.org/index.php/Cross-User_Defacement
uiSession.setAttribute( COOKIE_NAME, result );
}
return result;
}
Best regards,
Yury.
[Updated on: Tue, 21 May 2013 09:42] Report message to a moderator
|
|
|
|
|
Powered by
FUDForum. Page generated in 0.03306 seconds