diff options
author | Florian Zschocke <florian.zschocke@devolo.de> | 2016-12-10 10:57:45 +0100 |
---|---|---|
committer | Florian Zschocke <florian.zschocke@devolo.de> | 2016-12-10 10:57:45 +0100 |
commit | 90a8d1af6c202c8efcca5a0fdaf341494cb0b8eb (patch) | |
tree | bd9f0f4bc67cdb5a2dbffe7500e9432331698df3 /src | |
parent | d10fe0d8fd614f6ae6606179b0326bdc6a5f6af8 (diff) | |
download | gitblit-90a8d1af6c202c8efcca5a0fdaf341494cb0b8eb.tar.gz gitblit-90a8d1af6c202c8efcca5a0fdaf341494cb0b8eb.zip |
Set secure user cookies and only for HTTP.
Mark the user authentication cookie to be only used for HTTP, making
it inaccessible for JavaScript engines.
If only HTTPS is used and no HTTP (i.e. also if HTTP is redirected to
HTTPS) then mark the user cookie to be sent only over secure connections.
Diffstat (limited to 'src')
-rw-r--r-- | src/main/java/com/gitblit/manager/AuthenticationManager.java | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/src/main/java/com/gitblit/manager/AuthenticationManager.java b/src/main/java/com/gitblit/manager/AuthenticationManager.java index 49787631..0a4d8ed7 100644 --- a/src/main/java/com/gitblit/manager/AuthenticationManager.java +++ b/src/main/java/com/gitblit/manager/AuthenticationManager.java @@ -608,6 +608,11 @@ public class AuthenticationManager implements IAuthenticationManager { userCookie = new Cookie(Constants.NAME, cookie); // expire the cookie in 7 days userCookie.setMaxAge((int) TimeUnit.DAYS.toSeconds(7)); + + // Set cookies HttpOnly so they are not accessible to JavaScript engines + userCookie.setHttpOnly(true); + // Set secure cookie if only HTTPS is used + userCookie.setSecure(httpsOnly()); } } String path = "/"; @@ -622,6 +627,15 @@ public class AuthenticationManager implements IAuthenticationManager { } } + + private boolean httpsOnly() { + int port = settings.getInteger(Keys.server.httpPort, 0); + int tlsPort = settings.getInteger(Keys.server.httpsPort, 0); + return (port <= 0 && tlsPort > 0) || + (port > 0 && tlsPort > 0 && settings.getBoolean(Keys.server.redirectToHttpsPort, true) ); + } + + /** * Logout a user. * |