From 29437a2557f37456b4fa45ce75880ce6eea1cbba Mon Sep 17 00:00:00 2001
From: felmer <franz-josef.elmer@id.ethz.ch>
Date: Tue, 27 Mar 2018 15:07:34 +0200
Subject: [PATCH] SSDM-6285: also for DSS: setting for all cookies
 httpOnly=true and secure=true

---
 .../cisd/openbis/dss/generic/server/DataStoreServer.java        | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/datastore_server/source/java/ch/systemsx/cisd/openbis/dss/generic/server/DataStoreServer.java b/datastore_server/source/java/ch/systemsx/cisd/openbis/dss/generic/server/DataStoreServer.java
index a227191d4ae..66dc6025c27 100644
--- a/datastore_server/source/java/ch/systemsx/cisd/openbis/dss/generic/server/DataStoreServer.java
+++ b/datastore_server/source/java/ch/systemsx/cisd/openbis/dss/generic/server/DataStoreServer.java
@@ -251,6 +251,8 @@ public class DataStoreServer
                 ServiceProvider.getApplicationContext());
         // Disable URL rewriting (forces container to stop appending ";jsessionid=xxx" to urls)
         // to avoid mistakes in URL parsing by download servlets
+        servletContextHandler.getSessionHandler().getSessionCookieConfig().setHttpOnly(true);
+        servletContextHandler.getSessionHandler().getSessionCookieConfig().setSecure(true);
         servletContextHandler.getSessionHandler()
                 .setSessionIdPathParameterName(null);
         String applicationName = "/" + DATA_STORE_SERVER_WEB_APPLICATION_NAME;
-- 
GitLab