Caucho Forums  

This forum is permanently closed because of spam. For free community support, please visit Google Groups:


Go Back   Caucho Forums > Quercus

Reply
 
Thread Tools Display Modes
  #1  
Old 10-18-2012, 11:54 PM
ottomatico ottomatico is offline
Junior Member
 
Join Date: Oct 2012
Posts: 5
Default Securing Session Cookies - Tomcat

I'm having trouble setting the attributes for a session cookie. This is a result of security scan which reported that the phpsession cookie was not complying with security standards (i.e. no secure or httponly attributes were set for it).

Application is running using php version 5.3.2 and being hosted in Tomcat 7 using JDK 1.7 which supports java servlet specification 3 that allows setting both attributes programmatically (via the HttpServletResponse interface).

I was able to set the secure attribute rather quickly but it does not take into account at all the HttpOnly parameter in the function session_set_cookie_params which I added before session_start.

I installed today Quercus version 4.0.25 and made sure the web.xml declaration used servlet 3.0 but still no luck. Are there additional configuration steps that I am missing?

Any help is appreciated
Reply With Quote
  #2  
Old 10-19-2012, 12:47 AM
nam nam is offline
Administrator
 
Join Date: Aug 2009
Posts: 337
Default

Thanks,

It looks like we're ignoring the HttpOnly argument. I've filed a bug report at:

http://bugs.caucho.com/view.php?id=5249
Reply With Quote
  #3  
Old 10-26-2012, 11:39 PM
nam nam is offline
Administrator
 
Join Date: Aug 2009
Posts: 337
Default

I just fixed this for 4.0.33. If you like, you can checkout the Resin sources and compile Quercus.
Reply With Quote
  #4  
Old 10-31-2012, 04:33 PM
ottomatico ottomatico is offline
Junior Member
 
Join Date: Oct 2012
Posts: 5
Default

Thanks very much, could you tell me where I should go to checkout the sources for 4.0.33?
Reply With Quote
  #5  
Old 10-31-2012, 06:47 PM
nam nam is offline
Administrator
 
Join Date: Aug 2009
Posts: 337
Default

svn checkout svn://svn.caucho.com/home/svn/svnroot/resin/trunk resin
cd resin
ant

The Quercus jars (quercus.jar, resin-kernel.jar) will be in resin/lib.
Reply With Quote
  #6  
Old 11-19-2012, 04:02 PM
ottomatico ottomatico is offline
Junior Member
 
Join Date: Oct 2012
Posts: 5
Default

Thanks very much for your reply.

When I execute ant the build fails reporting a compile error:
module:
[copy] Copying 33 files to C:\quercus\resin\modules\quercus\classes
[javac] Compiling 363 source files to C:\quercus\resin\modules\quercus\classes
[javac] C:\quercus\resin\modules\quercus\src\com\caucho\qu ercus\lib\db\JavaSqlDriverWrapper.java:41: error: JavaSqlDriverWrapper is not abstract and does not override abstract method getParentLogger() in CommonDataSource
[javac] public class JavaSqlDriverWrapper implements javax.sql.DataSource
[javac] ^
[javac] C:\quercus\resin\modules\quercus\src\com\caucho\qu ercus\lib\db\QuercusDataSource.java:38: error: QuercusDataSource is not abstract and does not override abstract method getParentLogger() in CommonDataSource
[javac] public class QuercusDataSource implements DataSource {
[javac] ^
[javac] Note: Some input files use or override a deprecated API.
[javac] Note: Recompile with -Xlint:deprecation for details.
[javac] Note: Some input files use unchecked or unsafe operations.
[javac] Note: Recompile with -Xlint:unchecked for details.
[javac] 2 errors

BUILD FAILED
Reply With Quote
  #7  
Old 11-19-2012, 05:11 PM
ottomatico ottomatico is offline
Junior Member
 
Join Date: Oct 2012
Posts: 5
Default

I wanted to add to my prior post that the compile errors are due to the introduction in java 1.7 of a new method "getParentLogger()" in interface javax.sql.CommonDataSource.

I was successful building the code when using java 1.6 and I'll be testing the code fix next.
Reply With Quote
  #8  
Old 11-20-2012, 12:39 AM
ottomatico ottomatico is offline
Junior Member
 
Join Date: Oct 2012
Posts: 5
Default

Final update

Issue was resolved (tested in tomcat 7 with java 7 runtime), only dependency is doing a build using java 1.6.

Thanks very much.
Reply With Quote
  #9  
Old 11-20-2012, 02:29 AM
nam nam is offline
Administrator
 
Join Date: Aug 2009
Posts: 337
Default

Thanks for the tip on getParentLogger(). I just added a stub method for it in trunk, so it should compile fine on JDK 1.7.

http://bugs.caucho.com/view.php?id=5281
Reply With Quote
Reply

Tags
cookie, httponly

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 03:59 PM.


Powered by vBulletin® Version 3.8.6
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.