Merge pull request playframework#749 from mkurz/lighthouse-1802-patch

Secure PLAY_ERRORS & PLAY_LANG cookies when session is secure
jaesga · Apr 21, 2014 · 0d8ec2f · 0d8ec2f
2 parents 2e200c1 + e68849e
commit 0d8ec2f
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 4 deletions.
diff --git a/framework/src/play/data/validation/ValidationPlugin.java b/framework/src/play/data/validation/ValidationPlugin.java
@@ -151,7 +151,7 @@ static void save() {
         if (Validation.errors().isEmpty()) {
             // Only send "delete cookie" header when the cookie was present in the request
             if(Http.Request.current().cookies.containsKey(Scope.COOKIE_PREFIX + "_ERRORS") || !Scope.SESSION_SEND_ONLY_IF_CHANGED) {
-                Http.Response.current().setCookie(Scope.COOKIE_PREFIX + "_ERRORS", "", "0s");
+                Http.Response.current().setCookie(Scope.COOKIE_PREFIX + "_ERRORS", "", null, "/", 0, Scope.COOKIE_SECURE);
             }
             return;
         }
@@ -171,7 +171,7 @@ static void save() {
                 }
             }
             String errorsData = URLEncoder.encode(errors.toString(), "utf-8");
-            Http.Response.current().setCookie(Scope.COOKIE_PREFIX + "_ERRORS", errorsData);
+            Http.Response.current().setCookie(Scope.COOKIE_PREFIX + "_ERRORS", errorsData, null, "/", null, Scope.COOKIE_SECURE);
         } catch (Exception e) {
             throw new UnexpectedException("Errors serializationProblem", e);
         }

diff --git a/framework/src/play/i18n/Lang.java b/framework/src/play/i18n/Lang.java
@@ -10,6 +10,7 @@
 import play.mvc.Http;
 import play.mvc.Http.Request;
 import play.mvc.Http.Response;
+import play.mvc.Scope;
 
 /**
  * Language support
@@ -80,7 +81,7 @@ public static void change(String locale) {
             Response response = Response.current();
             if ( response != null ) {
                 // We have a current response in scope - set the language-cookie to store the selected language for the next requests
-                response.setCookie(Play.configuration.getProperty("application.lang.cookie", "PLAY_LANG"), locale);
+                response.setCookie(Play.configuration.getProperty("application.lang.cookie", "PLAY_LANG"), locale, null, "/", null, Scope.COOKIE_SECURE);
             }
         }
 
@@ -152,7 +153,7 @@ private static void resolvefrom(Request request) {
                     return;
                 }
                 // could not use locale from cookie - clear the locale-cookie
-                Response.current().setCookie(cn, "");
+                Response.current().setCookie(cn, "", null, "/", null, Scope.COOKIE_SECURE);
 
             }