From 87c68f2f1c79aa3915fd3354c46408b36abadb48 Mon Sep 17 00:00:00 2001 From: Michael Bayne Date: Thu, 20 Feb 2025 11:41:00 -0800 Subject: [PATCH] Bump servlet-api to 3.1.0, make cookies http only. This makes them invisible to JavaScript (which we don't use) to avoid the danger of someone injecting JavaScript somehow and stealing auth cookies. It's a dangerous world out there. --- pom.xml | 4 ++-- src/main/java/com/samskivert/servlet/user/UserManager.java | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/pom.xml b/pom.xml index a8c9f037..038c5709 100644 --- a/pom.xml +++ b/pom.xml @@ -44,8 +44,8 @@ javax.servlet - servlet-api - 2.5 + javax.servlet-api + 3.1.0 provided diff --git a/src/main/java/com/samskivert/servlet/user/UserManager.java b/src/main/java/com/samskivert/servlet/user/UserManager.java index 5536d5c7..ae15d67e 100644 --- a/src/main/java/com/samskivert/servlet/user/UserManager.java +++ b/src/main/java/com/samskivert/servlet/user/UserManager.java @@ -299,6 +299,7 @@ public class UserManager } acookie.setPath("/"); acookie.setMaxAge((expires > 0) ? (expires*24*60*60) : -1); + acookie.setHttpOnly(true); if (USERMGR_DEBUG) { log.info("Setting cookie " + acookie + "."); }