From 83d95ee5dafd65d42b0016611af14ceeb795db34 Mon Sep 17 00:00:00 2001 From: "U-ID\\ZENEXITY_S" Date: Tue, 19 Oct 2010 11:54:37 +0200 Subject: [PATCH] [#303] Only set httpOnly on the session cookie if specified in application.conf --- framework/src/play/mvc/Scope.java | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/framework/src/play/mvc/Scope.java b/framework/src/play/mvc/Scope.java index 4cf16010ec..8935d5efbc 100644 --- a/framework/src/play/mvc/Scope.java +++ b/framework/src/play/mvc/Scope.java @@ -27,6 +27,7 @@ public class Scope { public static final String COOKIE_PREFIX = Play.configuration.getProperty("application.session.cookie", "PLAY"); public static final boolean COOKIE_SECURE = Play.configuration.getProperty("application.session.secure", "false").toLowerCase().equals("true"); public static final String COOKIE_EXPIRE = Play.configuration.getProperty("application.session.maxAge"); + public static final boolean SESSION_HTTPONLY = Play.configuration.getProperty("application.session.httpOnly", "false").toLowerCase().equals("true"); /** * Flash scope @@ -222,9 +223,9 @@ void save() { String sessionData = URLEncoder.encode(session.toString(), "utf-8"); String sign = Crypto.sign(sessionData, Play.secretKey.getBytes()); if (COOKIE_EXPIRE == null) { - Http.Response.current().setCookie(COOKIE_PREFIX + "_SESSION", sign + "-" + sessionData, null, "/", null, COOKIE_SECURE, true /* httpOnly */); + Http.Response.current().setCookie(COOKIE_PREFIX + "_SESSION", sign + "-" + sessionData, null, "/", null, COOKIE_SECURE, SESSION_HTTPONLY); } else { - Http.Response.current().setCookie(COOKIE_PREFIX + "_SESSION", sign + "-" + sessionData, null, "/", Time.parseDuration(COOKIE_EXPIRE), COOKIE_SECURE, true /* httpOnly */); + Http.Response.current().setCookie(COOKIE_PREFIX + "_SESSION", sign + "-" + sessionData, null, "/", Time.parseDuration(COOKIE_EXPIRE), COOKIE_SECURE, SESSION_HTTPONLY); } } catch (Exception e) { throw new UnexpectedException("Session serializationProblem", e);