https://issues.shibboleth.net/jira/browse/SSPCPP-375

diff --git a/configs/example-shibboleth2.xml b/configs/example-shibboleth2.xml
index 87066d4..cf952dc 100644 (file)
--- a/configs/example-shibboleth2.xml
+++ b/configs/example-shibboleth2.xml
@@ -100,7 +100,7 @@
         You MUST supply an effectively unique handlerURL value for each of your applications.
         The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
         a relative value based on the virtual host. Using handlerSSL="true", the default, will force
-        the protocol to be https. You should also add a cookieProps setting of "; path=/; secure"
+        the protocol to be https. You should also add a cookieProps setting of "; path=/; secure; HttpOnly"
         in that case. Note that while we default checkAddress to "false", this has a negative
         impact on the security of the SP. Stealing cookies/sessions is much easier with this disabled.
         -->

diff --git a/configs/shibboleth2.xml b/configs/shibboleth2.xml
index 956ca55..134cb66 100644 (file)
--- a/configs/shibboleth2.xml
+++ b/configs/shibboleth2.xml
@@ -28,7 +28,7 @@
         You MUST supply an effectively unique handlerURL value for each of your applications.
         The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
         a relative value based on the virtual host. Using handlerSSL="true", the default, will force
-        the protocol to be https. You should also add a cookieProps setting of "; path=/; secure"
+        the protocol to be https. You should also add a cookieProps setting of "; path=/; secure; HttpOnly"
         in that case. Note that while we default checkAddress to "false", this has a negative
         impact on the security of the SP. Stealing cookies/sessions is much easier with this disabled.
         -->

diff --git a/configs/win-shibboleth2.xml b/configs/win-shibboleth2.xml
index 68c0bfc..c32f66c 100644 (file)
--- a/configs/win-shibboleth2.xml
+++ b/configs/win-shibboleth2.xml
@@ -71,7 +71,7 @@
         You MUST supply an effectively unique handlerURL value for each of your applications.
         The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
         a relative value based on the virtual host. Using handlerSSL="true", the default, will force
-        the protocol to be https. You should also add a cookieProps setting of "; path=/; secure"
+        the protocol to be https. You should also add a cookieProps setting of "; path=/; secure; HttpOnly"
         in that case. Note that while we default checkAddress to "false", this has a negative
         impact on the security of the SP. Stealing cookies/sessions is much easier with this disabled.
         -->

diff --git a/shibsp/Application.cpp b/shibsp/Application.cpp
index 111f2d0..c602411 100644 (file)
--- a/shibsp/Application.cpp
+++ b/shibsp/Application.cpp
@@ -60,7 +60,7 @@ const char* Application::getId() const
 
 pair<string,const char*> Application::getCookieNameProps(const char* prefix, time_t* lifetime) const
 {
-    static const char* defProps="; path=/";
+    static const char* defProps="; path=/; HttpOnly";
 
     if (lifetime)
         *lifetime = 0;

diff --git a/shibsp/handler/impl/AssertionConsumerService.cpp b/shibsp/handler/impl/AssertionConsumerService.cpp
index 24751fa..e2b4c49 100644 (file)
--- a/shibsp/handler/impl/AssertionConsumerService.cpp
+++ b/shibsp/handler/impl/AssertionConsumerService.cpp
@@ -475,7 +475,9 @@ void AssertionConsumerService::maintainHistory(
     pair<bool,bool> idpHistory=sessionProps->getBool("idpHistory");
 
     if (idpHistory.first && idpHistory.second) {
-        pair<bool,const char*> cookieProps=sessionProps->getString("cookieProps");
+        pair<bool,const char*> cookieProps=sessionProps->getString("idpHistoryProps");
+        if (!cookieProps.first)
+            cookieProps=sessionProps->getString("cookieProps");
         if (!cookieProps.first)
             cookieProps.second=defProps;