]> source.dussan.org Git - gitblit.git/commitdiff
projects / gitblit.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: d10fe0d)
Set secure user cookies and only for HTTP.
authorFlorian Zschocke <florian.zschocke@devolo.de>
Sat, 10 Dec 2016 09:57:45 +0000 (10:57 +0100)
committerFlorian Zschocke <florian.zschocke@devolo.de>
Sat, 10 Dec 2016 09:57:45 +0000 (10:57 +0100)
Mark the user authentication cookie to be only used for HTTP, making
it inaccessible for JavaScript engines.

If only HTTPS is used and no HTTP (i.e. also if HTTP is redirected to
HTTPS) then mark the user cookie to be sent only over secure connections.

src/main/java/com/gitblit/manager/AuthenticationManager.java patch | blob | history

diff --git a/src/main/java/com/gitblit/manager/AuthenticationManager.java b/src/main/java/com/gitblit/manager/AuthenticationManager.java
index 4978763152b1da4e334ae99cd8a33e7ffbf34113..0a4d8ed72b698c5426165c20951959c545879d3c 100644 (file)
--- a/src/main/java/com/gitblit/manager/AuthenticationManager.java
+++ b/src/main/java/com/gitblit/manager/AuthenticationManager.java
@@ -608,6 +608,11 @@ public class AuthenticationManager implements IAuthenticationManager {
                                                userCookie = new Cookie(Constants.NAME, cookie);
                                                // expire the cookie in 7 days
                                                userCookie.setMaxAge((int) TimeUnit.DAYS.toSeconds(7));
+
+                                               // Set cookies HttpOnly so they are not accessible to JavaScript engines
+                                               userCookie.setHttpOnly(true);
+                                               // Set secure cookie if only HTTPS is used
+                                               userCookie.setSecure(httpsOnly());
                                        }
                                }
                                String path = "/";
@@ -622,6 +627,15 @@ public class AuthenticationManager implements IAuthenticationManager {
                }
        }
 
+
+       private boolean httpsOnly() {
+               int port = settings.getInteger(Keys.server.httpPort, 0);
+               int tlsPort = settings.getInteger(Keys.server.httpsPort, 0);
+               return  (port <= 0 && tlsPort > 0) ||
+                               (port > 0 && tlsPort > 0 && settings.getBoolean(Keys.server.redirectToHttpsPort, true) );
+       }
+
+
        /**
         * Logout a user.
         *
Pure java git solution: https://github.com/gitblit-org/gitblit