From 3d54ef1afbdc80b3f66db6d8440f3d154c79f4cf Mon Sep 17 00:00:00 2001 From: jvoisin Date: Wed, 24 Apr 2019 21:32:03 +0200 Subject: [PATCH] Mark the player cookie httpOnly It doesn't improve much security-wise, but it's a good practise anyway. --- .../src/main/java/org/airsonic/player/service/PlayerService.java | 1 + 1 file changed, 1 insertion(+) diff --git a/airsonic-main/src/main/java/org/airsonic/player/service/PlayerService.java b/airsonic-main/src/main/java/org/airsonic/player/service/PlayerService.java index 53c26880..395fadbc 100644 --- a/airsonic-main/src/main/java/org/airsonic/player/service/PlayerService.java +++ b/airsonic-main/src/main/java/org/airsonic/player/service/PlayerService.java @@ -151,6 +151,7 @@ public class PlayerService { String cookieName = COOKIE_NAME + "-" + StringUtil.utf8HexEncode(username); Cookie cookie = new Cookie(cookieName, String.valueOf(player.getId())); cookie.setMaxAge(COOKIE_EXPIRY); + cookie.setHttpOnly(true); String path = request.getContextPath(); if (StringUtils.isEmpty(path)) { path = "/";