User list. Revised home page. Updated Jetty. Secure cookies. Docs.

James Moger

2011-05-23 a4d2498b7f94012cfdf481fcf151f8cfd7537a42

 src/com/gitblit/GitBlitServer.java

@@ -29,6 +29,7 @@
import org.eclipse.jetty.server.Server;

import org.eclipse.jetty.server.bio.SocketConnector;

import org.eclipse.jetty.server.nio.SelectChannelConnector;

import org.eclipse.jetty.server.session.HashSessionManager;

import org.eclipse.jetty.server.ssl.SslConnector;

import org.eclipse.jetty.server.ssl.SslSelectChannelConnector;

import org.eclipse.jetty.server.ssl.SslSocketConnector;

@@ -193,6 +194,16 @@
      rootContext.setWar(location.toExternalForm());

      rootContext.setTempDirectory(tempDir);



      // Mark all cookies HttpOnly so they are not accessible to JavaScript

      // engines.

      // http://erlend.oftedal.no/blog/?blogid=33

      // https://www.owasp.org/index.php/HttpOnly#Browsers_Supporting_HttpOnly

      HashSessionManager sessionManager = new HashSessionManager();

      sessionManager.setHttpOnly(true);

      // Use secure cookies if only serving https

      sessionManager.setSecureCookies(params.port <= 0 && params.securePort > 0);

      rootContext.getSessionHandler().setSessionManager(sessionManager);



      // Wicket Filter

      String wicketPathSpec = "/*";

      FilterHolder wicketFilter = new FilterHolder(WicketFilter.class);