User list. Revised home page. Updated Jetty. Secure cookies. Docs.

1 files changed, 11 insertions, 0 deletions

diff --git a/src/com/gitblit/GitBlitServer.java b/src/com/gitblit/GitBlitServer.java
index 08c9b297..e9e44637 100644
--- a/src/com/gitblit/GitBlitServer.java
+++ b/src/com/gitblit/GitBlitServer.java
@@ -29,6 +29,7 @@ import org.eclipse.jetty.server.Handler;
 import org.eclipse.jetty.server.Server;

 import org.eclipse.jetty.server.bio.SocketConnector;

 import org.eclipse.jetty.server.nio.SelectChannelConnector;

+import org.eclipse.jetty.server.session.HashSessionManager;

 import org.eclipse.jetty.server.ssl.SslConnector;

 import org.eclipse.jetty.server.ssl.SslSelectChannelConnector;

 import org.eclipse.jetty.server.ssl.SslSocketConnector;

@@ -192,6 +193,16 @@ public class GitBlitServer {
 		rootContext.setServer(server);

 		rootContext.setWar(location.toExternalForm());

 		rootContext.setTempDirectory(tempDir);

+		

+		// Mark all cookies HttpOnly so they are not accessible to JavaScript

+		// engines.

+		// http://erlend.oftedal.no/blog/?blogid=33

+		// https://www.owasp.org/index.php/HttpOnly#Browsers_Supporting_HttpOnly

+		HashSessionManager sessionManager = new HashSessionManager();

+		sessionManager.setHttpOnly(true);

+		// Use secure cookies if only serving https

+		sessionManager.setSecureCookies(params.port <= 0 && params.securePort > 0);

+		rootContext.getSessionHandler().setSessionManager(sessionManager);

 

 		// Wicket Filter

 		String wicketPathSpec = "/*";