From: Florian Zschocke <florian.zschocke@devolo.de>
Date: Sat, 10 Dec 2016 10:30:28 +0000 (+0100)
Subject: Set secure session cookies when redirecting from HTTP to HTTPS.
X-Git-Tag: merged--secureCookies
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=60099a42faf7c34edb4651253cdb1a7723fbf029;p=gitblit.git

Set secure session cookies when redirecting from HTTP to HTTPS.

So far for session cookies the secure property was only set when no
HTTP port was opened. This changes to also set it when HTTP is redirected
to the HTTPS port.
---

diff --git a/src/main/java/com/gitblit/GitBlitServer.java b/src/main/java/com/gitblit/GitBlitServer.java
index d56d9c0c..6123a872 100644
--- a/src/main/java/com/gitblit/GitBlitServer.java
+++ b/src/main/java/com/gitblit/GitBlitServer.java
@@ -375,7 +375,8 @@ public class GitBlitServer {
 		HashSessionManager sessionManager = new HashSessionManager();
 		sessionManager.setHttpOnly(true);
 		// Use secure cookies if only serving https
-		sessionManager.setSecureRequestOnly(params.port <= 0 && params.securePort > 0);
+		sessionManager.setSecureRequestOnly( (params.port <= 0 && params.securePort > 0) ||
+				(params.port > 0 && params.securePort > 0 && settings.getBoolean(Keys.server.redirectToHttpsPort, true)) );
 		rootContext.getSessionHandler().setSessionManager(sessionManager);
 
 		// Ensure there is a defined User Service