From 3d54ef1afbdc80b3f66db6d8440f3d154c79f4cf Mon Sep 17 00:00:00 2001
From: jvoisin <julien.voisin@dustri.org>
Date: Wed, 24 Apr 2019 21:32:03 +0200
Subject: [PATCH] Mark the player cookie httpOnly

It doesn't improve much security-wise,
but it's a good practise anyway.
---
 .../src/main/java/org/airsonic/player/service/PlayerService.java | 1 +
 1 file changed, 1 insertion(+)

diff --git a/airsonic-main/src/main/java/org/airsonic/player/service/PlayerService.java b/airsonic-main/src/main/java/org/airsonic/player/service/PlayerService.java
index 53c26880..395fadbc 100644
--- a/airsonic-main/src/main/java/org/airsonic/player/service/PlayerService.java
+++ b/airsonic-main/src/main/java/org/airsonic/player/service/PlayerService.java
@@ -151,6 +151,7 @@ public class PlayerService {
             String cookieName = COOKIE_NAME + "-" + StringUtil.utf8HexEncode(username);
             Cookie cookie = new Cookie(cookieName, String.valueOf(player.getId()));
             cookie.setMaxAge(COOKIE_EXPIRY);
+            cookie.setHttpOnly(true);
             String path = request.getContextPath();
             if (StringUtils.isEmpty(path)) {
                 path = "/";