[Enhancement] Set cookie path & http_only to make it more safe

Signed-off-by: Rohit Satardekar <[email protected]>
StarRocks · Sep 20, 2024 · a4e89d2 · a4e89d2
1 parent 266bfc8
commit a4e89d2
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/fe/fe-core/src/main/java/com/starrocks/http/action/WebBaseAction.java b/fe/fe-core/src/main/java/com/starrocks/http/action/WebBaseAction.java
@@ -272,6 +272,8 @@ protected void addSession(BaseRequest request, BaseResponse response, SessionVal
         String key = UUID.randomUUID().toString();
         DefaultCookie cookie = new DefaultCookie(STARROCKS_SESSION_ID, key);
         cookie.setMaxAge(STARROCKS_SESSION_EXPIRED_TIME);
+        cookie.setPath("/");
+        cookie.setHttpOnly(true);
         response.addCookie(cookie);
         HttpAuthManager.getInstance().addSessionValue(key, value);
     }