Example 1 with HttpCookie
use of org.eclipse.jetty.http.HttpCookie in project jetty.project by eclipse.
the class SessionCookieTest method testSecureSessionCookie.
@Test
public void testSecureSessionCookie() throws Exception {
Server server = new Server();
MockSessionIdManager idMgr = new MockSessionIdManager(server);
idMgr.setWorkerName("node1");
SessionHandler mgr = new SessionHandler();
MockSessionStore store = new MockSessionStore(mgr);
store.setSessionDataStore(new NullSessionDataStore());
mgr.setSessionCache(store);
mgr.setSessionIdManager(idMgr);
long now = System.currentTimeMillis();
Session session = new Session(null, new SessionData("123", "_foo", "0.0.0.0", now, now, now, 30));
SessionCookieConfig sessionCookieConfig = mgr.getSessionCookieConfig();
sessionCookieConfig.setSecure(true);
//sessionCookieConfig.secure == true, always mark cookie as secure, irrespective of if requestIsSecure
HttpCookie cookie = mgr.getSessionCookie(session, "/foo", true);
assertTrue(cookie.isSecure());
//sessionCookieConfig.secure == true, always mark cookie as secure, irrespective of if requestIsSecure
cookie = mgr.getSessionCookie(session, "/foo", false);
assertTrue(cookie.isSecure());
//sessionCookieConfig.secure==false, setSecureRequestOnly==true, requestIsSecure==true
//cookie should be secure: see SessionCookieConfig.setSecure() javadoc
sessionCookieConfig.setSecure(false);
cookie = mgr.getSessionCookie(session, "/foo", true);
assertTrue(cookie.isSecure());
//sessionCookieConfig.secure=false, setSecureRequestOnly==true, requestIsSecure==false
//cookie is not secure: see SessionCookieConfig.setSecure() javadoc
cookie = mgr.getSessionCookie(session, "/foo", false);
assertFalse(cookie.isSecure());
//sessionCookieConfig.secure=false, setSecureRequestOnly==false, requestIsSecure==false
//cookie is not secure: not a secure request
mgr.setSecureRequestOnly(false);
cookie = mgr.getSessionCookie(session, "/foo", false);
assertFalse(cookie.isSecure());
//sessionCookieConfig.secure=false, setSecureRequestOnly==false, requestIsSecure==true
//cookie is not secure: not on secured requests and request is secure
cookie = mgr.getSessionCookie(session, "/foo", true);
assertFalse(cookie.isSecure());
}
Also used :
Server(org.eclipse.jetty.server.Server)
SessionCookieConfig(javax.servlet.SessionCookieConfig)
HttpCookie(org.eclipse.jetty.http.HttpCookie)
Test(org.junit.Test)
Example 2 with HttpCookie
use of org.eclipse.jetty.http.HttpCookie in project jetty.project by eclipse.
the class SessionHandler method getSessionCookie.
/* ------------------------------------------------------------ */
/**
* A session cookie is marked as secure IFF any of the following conditions are true:
* <ol>
* <li>SessionCookieConfig.setSecure == true</li>
* <li>SessionCookieConfig.setSecure == false && _secureRequestOnly==true && request is HTTPS</li>
* </ol>
* According to SessionCookieConfig javadoc, case 1 can be used when:
* "... even though the request that initiated the session came over HTTP,
* is to support a topology where the web container is front-ended by an
* SSL offloading load balancer. In this case, the traffic between the client
* and the load balancer will be over HTTPS, whereas the traffic between the
* load balancer and the web container will be over HTTP."
* <p>
* For case 2, you can use _secureRequestOnly to determine if you want the
* Servlet Spec 3.0 default behavior when SessionCookieConfig.setSecure==false,
* which is:
* <cite>
* "they shall be marked as secure only if the request that initiated the
* corresponding session was also secure"
* </cite>
* <p>
* The default for _secureRequestOnly is true, which gives the above behavior. If
* you set it to false, then a session cookie is NEVER marked as secure, even if
* the initiating request was secure.
*
* @param session the session to which the cookie should refer.
* @param contextPath the context to which the cookie should be linked.
* The client will only send the cookie value when requesting resources under this path.
* @param requestIsSecure whether the client is accessing the server over a secure protocol (i.e. HTTPS).
* @return if this <code>SessionManager</code> uses cookies, then this method will return a new
* {@link Cookie cookie object} that should be set on the client in order to link future HTTP requests
* with the <code>session</code>. If cookies are not in use, this method returns <code>null</code>.
*/
public HttpCookie getSessionCookie(HttpSession session, String contextPath, boolean requestIsSecure) {
if (isUsingCookies()) {
String sessionPath = (_cookieConfig.getPath() == null) ? contextPath : _cookieConfig.getPath();
sessionPath = (sessionPath == null || sessionPath.length() == 0) ? "/" : sessionPath;
String id = getExtendedId(session);
HttpCookie cookie = null;
if (_sessionComment == null) {
cookie = new HttpCookie(_cookieConfig.getName(), id, _cookieConfig.getDomain(), sessionPath, _cookieConfig.getMaxAge(), _cookieConfig.isHttpOnly(), _cookieConfig.isSecure() || (isSecureRequestOnly() && requestIsSecure));
} else {
cookie = new HttpCookie(_cookieConfig.getName(), id, _cookieConfig.getDomain(), sessionPath, _cookieConfig.getMaxAge(), _cookieConfig.isHttpOnly(), _cookieConfig.isSecure() || (isSecureRequestOnly() && requestIsSecure), _sessionComment, 1);
}
return cookie;
}
return null;
}
Also used :
HttpCookie(org.eclipse.jetty.http.HttpCookie)
Example 3 with HttpCookie
use of org.eclipse.jetty.http.HttpCookie in project keywhiz by square.
the class AuthenticatedEncryptedCookieFactory method getExpiredSessionCookie.
/**
* Produces an expired cookie string, used to update/overwrite an existing cookie.
*
* @return serialized expired cookie with matching parameters to authenticating cookie.
*/
public NewCookie getExpiredSessionCookie() {
HttpCookie cookie = new HttpCookie(config.getName(), "expired", config.getDomain(), config.getPath(), 0, config.isHttpOnly(), config.isSecure());
Response response = new Response(null, null);
response.addCookie(cookie);
return NewCookie.valueOf(response.getHttpFields().getStringField(HttpHeader.SET_COOKIE));
}
Also used :
Response(org.eclipse.jetty.server.Response)
HttpCookie(org.eclipse.jetty.http.HttpCookie)
Example 4 with HttpCookie
use of org.eclipse.jetty.http.HttpCookie in project keywhiz by square.
the class XsrfProtection method generate.
public NewCookie generate(String session) {
checkArgument(!session.isEmpty());
String cookieValue = SHA512.hashString(session, UTF_8).toString();
// HttpOnly MUST NOT be present for this cookie.
HttpCookie cookie = new HttpCookie(config.getName(), cookieValue, config.getDomain(), config.getPath(), -1, config.isHttpOnly(), config.isSecure());
Response response = new Response(null, null);
response.addCookie(cookie);
return NewCookie.valueOf(response.getHttpFields().getStringField(HttpHeader.SET_COOKIE));
}
Also used :
Response(org.eclipse.jetty.server.Response)
HttpCookie(org.eclipse.jetty.http.HttpCookie)
Example 5 with HttpCookie
use of org.eclipse.jetty.http.HttpCookie in project jetty.project by eclipse.
the class SessionHandler method access.
/* ------------------------------------------------------------ */
/**
* Called by the {@link SessionHandler} when a session is first accessed by a request.
*
* @param session the session object
* @param secure whether the request is secure or not
* @return the session cookie. If not null, this cookie should be set on the response to either migrate
* the session or to refresh a session cookie that may expire.
* @see #complete(HttpSession)
*/
public HttpCookie access(HttpSession session, boolean secure) {
long now = System.currentTimeMillis();
Session s = ((SessionIf) session).getSession();
if (s.access(now)) {
// Do we need to refresh the cookie?
if (isUsingCookies() && (s.isIdChanged() || (getSessionCookieConfig().getMaxAge() > 0 && getRefreshCookieAge() > 0 && ((now - s.getCookieSetTime()) / 1000 > getRefreshCookieAge())))) {
HttpCookie cookie = getSessionCookie(session, _context == null ? "/" : (_context.getContextPath()), secure);
s.cookieSet();
s.setIdChanged(false);
return cookie;
}
}
return null;
}
Also used :
HttpCookie(org.eclipse.jetty.http.HttpCookie)
HttpSession(javax.servlet.http.HttpSession)
Aggregations
HttpCookie (org.eclipse.jetty.http.HttpCookie)8
HttpSession (javax.servlet.http.HttpSession)3
Response (org.eclipse.jetty.server.Response)2
IOException (java.io.IOException)1
PrintWriter (java.io.PrintWriter)1
IllegalSelectorException (java.nio.channels.IllegalSelectorException)1
Collection (java.util.Collection)1
Collections (java.util.Collections)1
EnumSet (java.util.EnumSet)1
List (java.util.List)1
Locale (java.util.Locale)1
AtomicInteger (java.util.concurrent.atomic.AtomicInteger)1
Collectors (java.util.stream.Collectors)1
RequestDispatcher (javax.servlet.RequestDispatcher)1
ServletOutputStream (javax.servlet.ServletOutputStream)1
SessionCookieConfig (javax.servlet.SessionCookieConfig)1
Cookie (javax.servlet.http.Cookie)1
HttpServletResponse (javax.servlet.http.HttpServletResponse)1
CookieCompliance (org.eclipse.jetty.http.CookieCompliance)1
DateGenerator (org.eclipse.jetty.http.DateGenerator)1
