From 1907944aef88b4b95a6e39486fd731a49420c266 Mon Sep 17 00:00:00 2001
From: Greg Wilkins <gregw@webtide.com>
Date: Thu, 24 Nov 2011 09:11:52 +1100
Subject: [PATCH] 364657 Support HTTP only cookies from standard API

---
 .../org/eclipse/jetty/server/Response.java    | 25 +++++++++++++++++--
 .../eclipse/jetty/server/ResponseTest.java    | 19 ++++++++++++++
 2 files changed, 42 insertions(+), 2 deletions(-)

diff --git a/jetty-server/src/main/java/org/eclipse/jetty/server/Response.java b/jetty-server/src/main/java/org/eclipse/jetty/server/Response.java
index 1cf9d3c71ab..d5fa8321d62 100644
--- a/jetty-server/src/main/java/org/eclipse/jetty/server/Response.java
+++ b/jetty-server/src/main/java/org/eclipse/jetty/server/Response.java
@@ -53,6 +53,7 @@ public class Response implements HttpServletResponse
 {
     private static final Logger LOG = Log.getLogger(Response.class);
 
+    
     public static final int
         NONE=0,
         STREAM=1,
@@ -65,6 +66,12 @@ public class Response implements HttpServletResponse
      */
     public final static String SET_INCLUDE_HEADER_PREFIX = "org.eclipse.jetty.server.include.";
 
+    /**
+     * If this string is found within the comment of a cookie added with {@link #addCookie(Cookie)}, then the cookie 
+     * will be set as HTTP ONLY.
+     */
+    public final static String HTTP_ONLY_COMMENT="__HTTP_ONLY__";
+    
     private final AbstractHttpConnection _connection;
     private int _status=SC_OK;
     private String _reason;
@@ -120,14 +127,28 @@ public class Response implements HttpServletResponse
      */
     public void addCookie(Cookie cookie)
     {
+        String comment=cookie.getComment();
+        boolean http_only=false;
+        
+        if (comment!=null)
+        {
+            int i=comment.indexOf(HTTP_ONLY_COMMENT);
+            if (i>=0)
+            {
+                http_only=true;
+                comment=comment.substring(i,i+HTTP_ONLY_COMMENT.length()).trim();
+                if (comment.length()==0)
+                    comment=null;
+            }
+        }
         _connection.getResponseFields().addSetCookie(cookie.getName(),
                 cookie.getValue(),
                 cookie.getDomain(),
                 cookie.getPath(),
                 cookie.getMaxAge(),
-                cookie.getComment(),
+                comment,
                 cookie.getSecure(),
-                false,//cookie.isHttpOnly(),
+                http_only,// || cookie.isHttpOnly(),
                 cookie.getVersion());
     }
 
diff --git a/jetty-server/src/test/java/org/eclipse/jetty/server/ResponseTest.java b/jetty-server/src/test/java/org/eclipse/jetty/server/ResponseTest.java
index 4b3b4fef5cf..6f2b1172f44 100644
--- a/jetty-server/src/test/java/org/eclipse/jetty/server/ResponseTest.java
+++ b/jetty-server/src/test/java/org/eclipse/jetty/server/ResponseTest.java
@@ -29,6 +29,7 @@ import java.util.Map;
 
 import javax.servlet.ServletContext;
 import javax.servlet.ServletException;
+import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSessionContext;
@@ -485,6 +486,24 @@ public class ResponseTest
         }
     }
 
+    @Test
+    public void testAddCookie() throws Exception
+    {
+        Response response = new Response(new TestHttpConnection(connector,new ByteArrayEndPoint(), connector.getServer()));
+
+        Cookie cookie=new Cookie("name","value");
+        cookie.setDomain("domain");
+        cookie.setPath("/path");
+        cookie.setSecure(true);
+        cookie.setComment("comment__HTTP_ONLY__");
+        
+        response.addCookie(cookie);
+        
+        String set = response.getHttpFields().getStringField("Set-Cookie");
+        
+        assertEquals("name=value;Path=/path;Domain=domain;Secure;HttpOnly",set);
+    }
+
     private Response newResponse()
     {
         ByteArrayEndPoint endPoint = new ByteArrayEndPoint();