From a4d2498b7f94012cfdf481fcf151f8cfd7537a42 Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Mon, 23 May 2011 16:46:09 -0400
Subject: [PATCH] User list. Revised home page. Updated Jetty. Secure cookies. Docs.

---
 src/com/gitblit/GitBlitServer.java |   11 +++++++++++
 1 files changed, 11 insertions(+), 0 deletions(-)

diff --git a/src/com/gitblit/GitBlitServer.java b/src/com/gitblit/GitBlitServer.java
index 08c9b29..e9e4463 100644
--- a/src/com/gitblit/GitBlitServer.java
+++ b/src/com/gitblit/GitBlitServer.java
@@ -29,6 +29,7 @@
 import org.eclipse.jetty.server.Server;
 import org.eclipse.jetty.server.bio.SocketConnector;
 import org.eclipse.jetty.server.nio.SelectChannelConnector;
+import org.eclipse.jetty.server.session.HashSessionManager;
 import org.eclipse.jetty.server.ssl.SslConnector;
 import org.eclipse.jetty.server.ssl.SslSelectChannelConnector;
 import org.eclipse.jetty.server.ssl.SslSocketConnector;
@@ -192,6 +193,16 @@
 		rootContext.setServer(server);
 		rootContext.setWar(location.toExternalForm());
 		rootContext.setTempDirectory(tempDir);
+		
+		// Mark all cookies HttpOnly so they are not accessible to JavaScript
+		// engines.
+		// http://erlend.oftedal.no/blog/?blogid=33
+		// https://www.owasp.org/index.php/HttpOnly#Browsers_Supporting_HttpOnly
+		HashSessionManager sessionManager = new HashSessionManager();
+		sessionManager.setHttpOnly(true);
+		// Use secure cookies if only serving https
+		sessionManager.setSecureCookies(params.port <= 0 && params.securePort > 0);
+		rootContext.getSessionHandler().setSessionManager(sessionManager);
 
 		// Wicket Filter
 		String wicketPathSpec = "/*";

--
Gitblit v1.9.1