From 171b5d6d56afd867d9124ba8eac6d4f92feeecef Mon Sep 17 00:00:00 2001
From: srosse <stephane.rosse@frentix.com>
Date: Wed, 25 Jul 2018 15:02:35 +0200
Subject: [PATCH] OO-3585: set session cookie as secure (only if https
 available)

---
 .../olat/core/gui/control/winmgr/_content/serverpart.html  | 2 +-
 src/main/java/org/olat/core/servlets/OpenOLATServlet.java  | 7 +++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/main/java/org/olat/core/gui/control/winmgr/_content/serverpart.html b/src/main/java/org/olat/core/gui/control/winmgr/_content/serverpart.html
index 8297a5e466b..84e7c873592 100644
--- a/src/main/java/org/olat/core/gui/control/winmgr/_content/serverpart.html
+++ b/src/main/java/org/olat/core/gui/control/winmgr/_content/serverpart.html
@@ -30,7 +30,7 @@ var timestampLastPoll = new Date().getTime();
 // set timestamp cookie to inform other windows that they are outdated
 var sbtimestamp = new Date().getTime();
 var sbcookie = 'OLAT-UI-TIMESTAMP';
-if (window.opener == null) document.cookie = sbcookie+'='+sbtimestamp+'; path=/';
+if (window.opener == null) document.cookie = sbcookie+'='+sbtimestamp+'; path=/; SameSite=strict';
 
 ## starts an interval which checks every second whether to send an poll request based on
 ## the pollperiod or not 10 min after the last click the poll process stops
diff --git a/src/main/java/org/olat/core/servlets/OpenOLATServlet.java b/src/main/java/org/olat/core/servlets/OpenOLATServlet.java
index 618be5c9c82..1c8f7c8faff 100644
--- a/src/main/java/org/olat/core/servlets/OpenOLATServlet.java
+++ b/src/main/java/org/olat/core/servlets/OpenOLATServlet.java
@@ -26,6 +26,7 @@ import java.util.Map;
 import javax.servlet.RequestDispatcher;
 import javax.servlet.ServletConfig;
 import javax.servlet.ServletException;
+import javax.servlet.SessionCookieConfig;
 import javax.servlet.annotation.MultipartConfig;
 import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
@@ -124,6 +125,12 @@ public class OpenOLATServlet extends HttpServlet {
 			}
 		}
 		
+		if(Settings.isSecurePortAvailable()) {
+			SessionCookieConfig cookieConfig = servletConfig.getServletContext().getSessionCookieConfig();
+			cookieConfig.setSecure(true);
+			cookieConfig.setHttpOnly(true);
+		}
+		
 		//preload extensions
 		ExtManager.getInstance().getExtensions();
 		AbstractSpringModule.printStats();
-- 
GitLab