Skip to content

Fixed missing HttpOnly in CmsFlexResponse addCookie method#845

Open
Thyodas wants to merge 1 commit into
alkacon:masterfrom
Thyodas:fix/missing-httponly
Open

Fixed missing HttpOnly in CmsFlexResponse addCookie method#845
Thyodas wants to merge 1 commit into
alkacon:masterfrom
Thyodas:fix/missing-httponly

Conversation

@Thyodas

@Thyodas Thyodas commented Jun 16, 2026

Copy link
Copy Markdown

Hello,

When using CmsJspBean I noticed that getResponse().addCookie() didn't properly set HttpOnly flag to the headers.
CmsFlexResponse::addCookie override doesn't seem to handle HttpOnly.

This pull request adds the HttpOnly support to the response wrapper.

Changes made

Adding this condition to addCookie method.

// HttpOnly
if (cookie.isHttpOnly()) {
    header.append("; HttpOnly");
}

Temporary workaround

Using an unwrap to get the original response class, and thus the original addCookie implementation

(this is really hacky, but works)

private HttpServletResponse unwrap(HttpServletResponse response) {
    while (response instanceof HttpServletResponseWrapper) {
        response = (HttpServletResponse) ((HttpServletResponseWrapper) response).getResponse();
    }
    return response;
}

// addJwtCookies is a custom helper I created to add my cookies
public void addJwtCookies(HttpServletResponse response, String jwt) {
    if (response instanceof CmsFlexResponse) {
        // Currently, CmsFlexResponse overrides addCookies and is missing any handling of HttpOnly
        response = unwrap(response);
    }

    Cookie jwtCookie = generateJwtCookie(jwt);
    response.addCookie(jwtCookie);
}

To go further

I was wondering, is this override still useful? Would it be safer/more future-proof to keep the base implementation?

Thanks in advance!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant