Bump servlet-api to 3.1.0, make cookies http only.

This makes them invisible to JavaScript (which we don't use) to avoid the
danger of someone injecting JavaScript somehow and stealing auth cookies. It's
a dangerous world out there.
This commit is contained in:
Michael Bayne
2025-02-20 11:41:00 -08:00
parent a05da202af
commit 87c68f2f1c
2 changed files with 3 additions and 2 deletions
+2 -2
View File
@@ -44,8 +44,8 @@
<dependencies> <dependencies>
<dependency> <dependency>
<groupId>javax.servlet</groupId> <groupId>javax.servlet</groupId>
<artifactId>servlet-api</artifactId> <artifactId>javax.servlet-api</artifactId>
<version>2.5</version> <version>3.1.0</version>
<scope>provided</scope> <scope>provided</scope>
</dependency> </dependency>
<dependency> <dependency>
@@ -299,6 +299,7 @@ public class UserManager
} }
acookie.setPath("/"); acookie.setPath("/");
acookie.setMaxAge((expires > 0) ? (expires*24*60*60) : -1); acookie.setMaxAge((expires > 0) ? (expires*24*60*60) : -1);
acookie.setHttpOnly(true);
if (USERMGR_DEBUG) { if (USERMGR_DEBUG) {
log.info("Setting cookie " + acookie + "."); log.info("Setting cookie " + acookie + ".");
} }