diff --git a/spring-web/src/main/java/org/springframework/web/util/CookieGenerator.java b/spring-web/src/main/java/org/springframework/web/util/CookieGenerator.java index 21424a49f2..c9662a365b 100644 --- a/spring-web/src/main/java/org/springframework/web/util/CookieGenerator.java +++ b/spring-web/src/main/java/org/springframework/web/util/CookieGenerator.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2009 the original author or authors. + * Copyright 2002-2012 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -64,9 +64,12 @@ public class CookieGenerator { private boolean cookieSecure = false; + private boolean cookieHttpOnly = false; + /** * Use the given name for cookies created by this generator. + * @see javax.servlet.http.Cookie#getName() */ public void setCookieName(String cookieName) { this.cookieName = cookieName; @@ -82,6 +85,7 @@ public class CookieGenerator { /** * Use the given domain for cookies created by this generator. * The cookie is only visible to servers in this domain. + * @see javax.servlet.http.Cookie#setDomain */ public void setCookieDomain(String cookieDomain) { this.cookieDomain = cookieDomain; @@ -97,6 +101,7 @@ public class CookieGenerator { /** * Use the given path for cookies created by this generator. * The cookie is only visible to URLs in this path and below. + * @see javax.servlet.http.Cookie#setPath */ public void setCookiePath(String cookiePath) { this.cookiePath = cookiePath; @@ -112,6 +117,7 @@ public class CookieGenerator { /** * Use the given maximum age (in seconds) for cookies created by this generator. * Useful special value: -1 ... not persistent, deleted when client shuts down + * @see javax.servlet.http.Cookie#setMaxAge */ public void setCookieMaxAge(Integer cookieMaxAge) { this.cookieMaxAge = cookieMaxAge; @@ -128,6 +134,7 @@ public class CookieGenerator { * Set whether the cookie should only be sent using a secure protocol, * such as HTTPS (SSL). This is an indication to the receiving browser, * not processed by the HTTP server itself. Default is "false". + * @see javax.servlet.http.Cookie#setSecure */ public void setCookieSecure(boolean cookieSecure) { this.cookieSecure = cookieSecure; @@ -141,6 +148,22 @@ public class CookieGenerator { return this.cookieSecure; } + /** + * Set whether the cookie is supposed to be marked with the "HttpOnly" attribute. + *

Note that this feature is only available on Servlet 3.0 and higher. + * @see javax.servlet.http.Cookie#setHttpOnly + */ + public void setCookieHttpOnly(boolean cookieHttpOnly) { + this.cookieHttpOnly = cookieHttpOnly; + } + + /** + * Return whether the cookie is supposed to be marked with the "HttpOnly" attribute. + */ + public boolean isCookieHttpOnly() { + return this.cookieHttpOnly; + } + /** * Add a cookie with the given value to the response, @@ -162,6 +185,9 @@ public class CookieGenerator { if (isCookieSecure()) { cookie.setSecure(true); } + if (isCookieHttpOnly()) { + cookie.setHttpOnly(true); + } response.addCookie(cookie); if (logger.isDebugEnabled()) { logger.debug("Added cookie with name [" + getCookieName() + "] and value [" + cookieValue + "]");