summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorFlorian Zschocke <florian.zschocke@devolo.de>2016-12-10 10:57:45 +0100
committerFlorian Zschocke <florian.zschocke@devolo.de>2016-12-10 10:57:45 +0100
commit90a8d1af6c202c8efcca5a0fdaf341494cb0b8eb (patch)
treebd9f0f4bc67cdb5a2dbffe7500e9432331698df3 /src
parentd10fe0d8fd614f6ae6606179b0326bdc6a5f6af8 (diff)
downloadgitblit-90a8d1af6c202c8efcca5a0fdaf341494cb0b8eb.tar.gz
gitblit-90a8d1af6c202c8efcca5a0fdaf341494cb0b8eb.zip
Set secure user cookies and only for HTTP.
Mark the user authentication cookie to be only used for HTTP, making it inaccessible for JavaScript engines. If only HTTPS is used and no HTTP (i.e. also if HTTP is redirected to HTTPS) then mark the user cookie to be sent only over secure connections.
Diffstat (limited to 'src')
-rw-r--r--src/main/java/com/gitblit/manager/AuthenticationManager.java14
1 files changed, 14 insertions, 0 deletions
diff --git a/src/main/java/com/gitblit/manager/AuthenticationManager.java b/src/main/java/com/gitblit/manager/AuthenticationManager.java
index 49787631..0a4d8ed7 100644
--- a/src/main/java/com/gitblit/manager/AuthenticationManager.java
+++ b/src/main/java/com/gitblit/manager/AuthenticationManager.java
@@ -608,6 +608,11 @@ public class AuthenticationManager implements IAuthenticationManager {
userCookie = new Cookie(Constants.NAME, cookie);
// expire the cookie in 7 days
userCookie.setMaxAge((int) TimeUnit.DAYS.toSeconds(7));
+
+ // Set cookies HttpOnly so they are not accessible to JavaScript engines
+ userCookie.setHttpOnly(true);
+ // Set secure cookie if only HTTPS is used
+ userCookie.setSecure(httpsOnly());
}
}
String path = "/";
@@ -622,6 +627,15 @@ public class AuthenticationManager implements IAuthenticationManager {
}
}
+
+ private boolean httpsOnly() {
+ int port = settings.getInteger(Keys.server.httpPort, 0);
+ int tlsPort = settings.getInteger(Keys.server.httpsPort, 0);
+ return (port <= 0 && tlsPort > 0) ||
+ (port > 0 && tlsPort > 0 && settings.getBoolean(Keys.server.redirectToHttpsPort, true) );
+ }
+
+
/**
* Logout a user.
*