update cookie policy

1 files changed, 5 insertions, 11 deletions

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java
index 3fd99f6fc..34b44e991 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java
@@ -261,7 +261,7 @@ public class SSOManager {
 			Logger.info("SSO Timeout can not be loaded from MOA-ID configuration. Use default Timeout with " + DEFAULTSSOTIMEOUT);
 			ssoTimeOut = DEFAULTSSOTIMEOUT;
 		}
-		setCookie(httpReq, httpResp, SSOCOOKIE, ssoId, ssoTimeOut);
+		setCookie(httpReq, httpResp, SSOCOOKIE, ssoId, -1);
 		
 	}
 		
@@ -375,12 +375,7 @@ public class SSOManager {
 		Cookie[] cookies = httpReq.getCookies();
 		
 		if (cookies != null) {
-			for (Cookie cookie : cookies) {
-				
-				// funktioniert nicht, da Cookie seltsamerweise immer unsecure übertragen wird
-				// (firefox)
-				// if (cookie.getName().equals(SSOCOOKIE) && cookie.getSecure()) {
-				
+			for (Cookie cookie : cookies) {						
 				if (cookie.getName().equals(cookieName)) {
 					return cookie.getValue();
 				}
@@ -395,15 +390,14 @@ public class SSOManager {
 		Cookie cookie = new Cookie(cookieName, cookieValue);
 		cookie.setMaxAge(maxAge);
 		cookie.setSecure(true);
-		
-		//TODO: could be a problem if the IDP is accessible from different contextPaths or Domains
+		cookie.setHttpOnly(true);
 		cookie.setPath(httpReq.getContextPath());
-		
+				
 		httpResp.addCookie(cookie);
 	}
 	
 	private void deleteCookie(HttpServletRequest httpReq, HttpServletResponse httpResp, String cookieName) {
-		setCookie(httpReq, httpResp, cookieName, "", 1);
+		setCookie(httpReq, httpResp, cookieName, "", 0);
 	}
 
 }