marylinh / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
Other
0 stars 0 forks source link

SecurityWrapperResponse.createCookieHeader modification request #223

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
I'm trying to implement the SecurityWrapper filter in a java app and I'm 
running into an issue with the max-age.  IE just ignores the parameter, and 
Firefox/Chrome seem to treat Max-Age=-1 as equivalent to Max-Age=0.  Would it 
be possible to update the createCookieHeader() function in 
SecurityWrapperResponse.java to something like this:

private String createCookieHeader(String name, String value, int maxAge, String 
domain, String path, boolean secure) {
        // create the special cookie header instead of creating a Java cookie
        // Set-Cookie:<name>=<value>[; <name>=<value>][; expires=<date>][;
        // domain=<domain_name>][; path=<some_path>][; secure][;HttpOnly
        String header = name + "=" + value;
        if (maxAge >= 0) {
              header += "; Max-Age=" + maxAge;
        }
        if (domain != null) {
            header += "; Domain=" + domain;
        }
        if (path != null) {
            header += "; Path=" + path;
        }
        if ( secure || ESAPI.securityConfiguration().getForceSecureCookies() ) {
                     header += "; Secure";
        }
        if ( ESAPI.securityConfiguration().getForceHttpOnlyCookies() ) {
                     header += "; HttpOnly";
        }
        return header;
    }

Tyler Mathwich
Software Developer
Information Technology Dept.
State of North Dakota
(701) 328-6564

Original issue reported on code.google.com by manico.james@gmail.com on 5 May 2011 at 11:15

GoogleCodeExporter commented 9 years ago

Original comment by manico.james@gmail.com on 29 May 2012 at 3:26

GoogleCodeExporter commented 9 years ago
Also, please set both the Expires and Max-Age fields.  IE 6/7/8 do not support 
Max-Age. See: http://mrcoles.com/blog/cookies-max-age-vs-expires/ for more 
details.

This also affects the DefaultHTTPUtilities.addCookie() method as well.

Thanks,
Neil Olson

Original comment by neiltol...@gmail.com on 19 Jun 2012 at 7:53