chiu01 / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
0 stars 0 forks source link

DefaultHttpUtilities.addCookie does not set secure flag when not using httponly #23

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
Lines 174-179 in DefaultHttpUtilities:
if ( ESAPI.securityConfiguration().getForceHttpOnlyCookies() ) {
  String header = createCookieHeader(cookieName, cookieValue, maxAge,
domain, path, secure);
  addHeader(response, "Set-Cookie", header);
} else {
  response.addCookie(cookie);
}

The createCookieHeader method does the right thing, adding the secure flag
if the config says it should and adding the httponly flag if the config
says it should. But when not forcing httponly in the config, the above code
calls response.addCoookie, never checking the config to see if it should
force the secure flag and never modifying the cookie.

What version of the product are you using? On what operating system?

SVN revision 574 in trunk.

Original issue reported on code.google.com by cyounk...@gmail.com on 28 Jul 2009 at 5:03

GoogleCodeExporter commented 8 years ago
This issue was closed by revision r844.

Original comment by chrisisbeef on 2 Dec 2009 at 7:17

GoogleCodeExporter commented 8 years ago

Original comment by chrisisbeef on 2 Dec 2009 at 7:18