Set secure session cookies when redirecting from HTTP to HTTPS.

So far for session cookies the secure property was only set when no
HTTP port was opened. This changes to also set it when HTTP is redirected
to the HTTPS port.

diff --git a/src/main/java/com/gitblit/GitBlitServer.java b/src/main/java/com/gitblit/GitBlitServer.java
index d56d9c0c6b7153231dd4138df0f1672aa3d20ae3..6123a872d9adaad0ffeb72cf3ea14289888f1643 100644 (file)
--- a/src/main/java/com/gitblit/GitBlitServer.java
+++ b/src/main/java/com/gitblit/GitBlitServer.java
@@ -375,7 +375,8 @@ public class GitBlitServer {
                HashSessionManager sessionManager = new HashSessionManager();
                sessionManager.setHttpOnly(true);
                // Use secure cookies if only serving https
-               sessionManager.setSecureRequestOnly(params.port <= 0 && params.securePort > 0);
+               sessionManager.setSecureRequestOnly( (params.port <= 0 && params.securePort > 0) ||
+                               (params.port > 0 && params.securePort > 0 && settings.getBoolean(Keys.server.redirectToHttpsPort, true)) );
                rootContext.getSessionHandler().setSessionManager(sessionManager);
 
                // Ensure there is a defined User Service