Mark the player cookie httpOnly

It doesn't improve much security-wise, but it's a good practise anyway.
5 years ago · 3d54ef1afb
parent a3e59e9724
commit 3d54ef1afb
1 changed files with 1 additions and 0 deletions
--- a/airsonic-main/src/main/java/org/airsonic/player/service/PlayerService.java
+++ b/airsonic-main/src/main/java/org/airsonic/player/service/PlayerService.java
@ -151,6 +151,7 @@ public class PlayerService {
            String cookieName = COOKIE_NAME + "-" + StringUtil.utf8HexEncode(username);
            Cookie cookie = new Cookie(cookieName, String.valueOf(player.getId()));
            cookie.setMaxAge(COOKIE_EXPIRY);
+            cookie.setHttpOnly(true);
            String path = request.getContextPath();
            if (StringUtils.isEmpty(path)) {
                path = "/";