Mark the player cookie httpOnly

It doesn't improve much security-wise,
but it's a good practise anyway.
master
jvoisin 6 years ago
parent a3e59e9724
commit 3d54ef1afb
  1. 1
      airsonic-main/src/main/java/org/airsonic/player/service/PlayerService.java

@ -151,6 +151,7 @@ public class PlayerService {
String cookieName = COOKIE_NAME + "-" + StringUtil.utf8HexEncode(username); String cookieName = COOKIE_NAME + "-" + StringUtil.utf8HexEncode(username);
Cookie cookie = new Cookie(cookieName, String.valueOf(player.getId())); Cookie cookie = new Cookie(cookieName, String.valueOf(player.getId()));
cookie.setMaxAge(COOKIE_EXPIRY); cookie.setMaxAge(COOKIE_EXPIRY);
cookie.setHttpOnly(true);
String path = request.getContextPath(); String path = request.getContextPath();
if (StringUtils.isEmpty(path)) { if (StringUtils.isEmpty(path)) {
path = "/"; path = "/";

Loading…
Cancel
Save