OO-3585: set session cookie as secure (only if https available)

171b5d6d · srosse · 55058f7b · 171b5d6d · 171b5d6d
Commit 171b5d6d authored 6 years ago by srosse
--- a/src/main/java/org/olat/core/gui/control/winmgr/_content/serverpart.html
+++ b/src/main/java/org/olat/core/gui/control/winmgr/_content/serverpart.html
@@ -30,7 +30,7 @@ var timestampLastPoll = new Date().getTime();
 // set timestamp cookie to inform other windows that they are outdated
 var sbtimestamp = new Date().getTime();
 var sbcookie = 'OLAT-UI-TIMESTAMP';
-if (window.opener == null) document.cookie = sbcookie+'='+sbtimestamp+'; path=/';
+if (window.opener == null) document.cookie = sbcookie+'='+sbtimestamp+'; path=/; SameSite=strict';
 ## starts an interval which checks every second whether to send an poll request based on
 ## the pollperiod or not 10 min after the last click the poll process stops

--- a/src/main/java/org/olat/core/servlets/OpenOLATServlet.java
+++ b/src/main/java/org/olat/core/servlets/OpenOLATServlet.java
@@ -26,6 +26,7 @@ import java.util.Map;
 import javax.servlet.RequestDispatcher;
 import javax.servlet.ServletConfig;
 import javax.servlet.ServletException;
+import javax.servlet.SessionCookieConfig;
 import javax.servlet.annotation.MultipartConfig;
 import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
@@ -124,6 +125,12 @@ public class OpenOLATServlet extends HttpServlet {
 			}
 		}
+		if(Settings.isSecurePortAvailable()) {
+			SessionCookieConfig cookieConfig = servletConfig.getServletContext().getSessionCookieConfig();
+			cookieConfig.setSecure(true);
+			cookieConfig.setHttpOnly(true);
+		}
 		//preload extensions
 		ExtManager.getInstance().getExtensions();
 		AbstractSpringModule.printStats();