From 0d433cb0e010a32cb9a961d119c4cbc2937d33f1 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Wed, 22 Jul 2015 10:10:53 +0200
Subject: update cookie policy

---
 .../java/at/gv/egovernment/moa/id/moduls/SSOManager.java | 16 +++++-----------
 1 file changed, 5 insertions(+), 11 deletions(-)

(limited to 'id/server/idserverlib/src')

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java
index 3fd99f6fc..34b44e991 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java
@@ -261,7 +261,7 @@ public class SSOManager {
 			Logger.info("SSO Timeout can not be loaded from MOA-ID configuration. Use default Timeout with " + DEFAULTSSOTIMEOUT);
 			ssoTimeOut = DEFAULTSSOTIMEOUT;
 		}
-		setCookie(httpReq, httpResp, SSOCOOKIE, ssoId, ssoTimeOut);
+		setCookie(httpReq, httpResp, SSOCOOKIE, ssoId, -1);
 		
 	}
 		
@@ -375,12 +375,7 @@ public class SSOManager {
 		Cookie[] cookies = httpReq.getCookies();
 		
 		if (cookies != null) {
-			for (Cookie cookie : cookies) {
-				
-				// funktioniert nicht, da Cookie seltsamerweise immer unsecure übertragen wird
-				// (firefox)
-				// if (cookie.getName().equals(SSOCOOKIE) && cookie.getSecure()) {
-				
+			for (Cookie cookie : cookies) {						
 				if (cookie.getName().equals(cookieName)) {
 					return cookie.getValue();
 				}
@@ -395,15 +390,14 @@ public class SSOManager {
 		Cookie cookie = new Cookie(cookieName, cookieValue);
 		cookie.setMaxAge(maxAge);
 		cookie.setSecure(true);
-		
-		//TODO: could be a problem if the IDP is accessible from different contextPaths or Domains
+		cookie.setHttpOnly(true);
 		cookie.setPath(httpReq.getContextPath());
-		
+				
 		httpResp.addCookie(cookie);
 	}
 	
 	private void deleteCookie(HttpServletRequest httpReq, HttpServletResponse httpResp, String cookieName) {
-		setCookie(httpReq, httpResp, cookieName, "", 1);
+		setCookie(httpReq, httpResp, cookieName, "", 0);
 	}
 
 }
-- 
cgit v1.2.3