Merge pull request #1167 from fzs/secureCookies
Secure cookies
diff --git a/src/main/java/com/gitblit/GitBlitServer.java b/src/main/java/com/gitblit/GitBlitServer.java
index d56d9c0..6123a87 100644
--- a/src/main/java/com/gitblit/GitBlitServer.java
+++ b/src/main/java/com/gitblit/GitBlitServer.java
@@ -375,7 +375,8 @@
HashSessionManager sessionManager = new HashSessionManager();
sessionManager.setHttpOnly(true);
// Use secure cookies if only serving https
- sessionManager.setSecureRequestOnly(params.port <= 0 && params.securePort > 0);
+ sessionManager.setSecureRequestOnly( (params.port <= 0 && params.securePort > 0) ||
+ (params.port > 0 && params.securePort > 0 && settings.getBoolean(Keys.server.redirectToHttpsPort, true)) );
rootContext.getSessionHandler().setSessionManager(sessionManager);
// Ensure there is a defined User Service
diff --git a/src/main/java/com/gitblit/manager/AuthenticationManager.java b/src/main/java/com/gitblit/manager/AuthenticationManager.java
index 4978763..0a4d8ed 100644
--- a/src/main/java/com/gitblit/manager/AuthenticationManager.java
+++ b/src/main/java/com/gitblit/manager/AuthenticationManager.java
@@ -608,6 +608,11 @@
userCookie = new Cookie(Constants.NAME, cookie);
// expire the cookie in 7 days
userCookie.setMaxAge((int) TimeUnit.DAYS.toSeconds(7));
+
+ // Set cookies HttpOnly so they are not accessible to JavaScript engines
+ userCookie.setHttpOnly(true);
+ // Set secure cookie if only HTTPS is used
+ userCookie.setSecure(httpsOnly());
}
}
String path = "/";
@@ -622,6 +627,15 @@
}
}
+
+ private boolean httpsOnly() {
+ int port = settings.getInteger(Keys.server.httpPort, 0);
+ int tlsPort = settings.getInteger(Keys.server.httpsPort, 0);
+ return (port <= 0 && tlsPort > 0) ||
+ (port > 0 && tlsPort > 0 && settings.getBoolean(Keys.server.redirectToHttpsPort, true) );
+ }
+
+
/**
* Logout a user.
*
