Bump servlet-api to 3.1.0, make cookies http only.
This makes them invisible to JavaScript (which we don't use) to avoid the danger of someone injecting JavaScript somehow and stealing auth cookies. It's a dangerous world out there.
This commit is contained in:
@@ -44,8 +44,8 @@
|
|||||||
<dependencies>
|
<dependencies>
|
||||||
<dependency>
|
<dependency>
|
||||||
<groupId>javax.servlet</groupId>
|
<groupId>javax.servlet</groupId>
|
||||||
<artifactId>servlet-api</artifactId>
|
<artifactId>javax.servlet-api</artifactId>
|
||||||
<version>2.5</version>
|
<version>3.1.0</version>
|
||||||
<scope>provided</scope>
|
<scope>provided</scope>
|
||||||
</dependency>
|
</dependency>
|
||||||
<dependency>
|
<dependency>
|
||||||
|
|||||||
@@ -299,6 +299,7 @@ public class UserManager
|
|||||||
}
|
}
|
||||||
acookie.setPath("/");
|
acookie.setPath("/");
|
||||||
acookie.setMaxAge((expires > 0) ? (expires*24*60*60) : -1);
|
acookie.setMaxAge((expires > 0) ? (expires*24*60*60) : -1);
|
||||||
|
acookie.setHttpOnly(true);
|
||||||
if (USERMGR_DEBUG) {
|
if (USERMGR_DEBUG) {
|
||||||
log.info("Setting cookie " + acookie + ".");
|
log.info("Setting cookie " + acookie + ".");
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user