001/* 002 * Licensed to the Apache Software Foundation (ASF) under one 003 * or more contributor license agreements. See the NOTICE file 004 * distributed with this work for additional information 005 * regarding copyright ownership. The ASF licenses this file 006 * to you under the Apache License, Version 2.0 (the 007 * "License"); you may not use this file except in compliance 008 * with the License. You may obtain a copy of the License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, 013 * software distributed under the License is distributed on an 014 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 015 * KIND, either express or implied. See the License for the 016 * specific language governing permissions and limitations 017 * under the License. 018 */ 019package org.apache.shiro.web.servlet; 020 021import javax.servlet.http.HttpServletRequest; 022import javax.servlet.http.HttpServletResponse; 023 024/** 025 * Interface representing HTTP cookie operations, supporting pojo-style getters and setters for all 026 * attributes which includes <a href="http://www.owasp.org/index.php/HttpOnly">HttpOnly</a> support. 027 * This allows Shiro to set <a href="http://www.owasp.org/index.php/HttpOnly">HttpOnly</a> cookies even on 028 * Servlet containers based on the {@code 2.4} and {@code 2.5} API (Servlet API 'native' support was only introduced in 029 * the {@code 2.6} specification). 030 * 031 * @since 1.0 032 */ 033public interface Cookie { 034 /** 035 * The value of deleted cookie (with the maxAge 0). 036 */ 037 public static final String DELETED_COOKIE_VALUE = "deleteMe"; 038 039 040 /** 041 * The number of seconds in one year (= 60 * 60 * 24 * 365). 042 */ 043 public static final int ONE_YEAR = 60 * 60 * 24 * 365; 044 045 /** 046 * Root path to use when the path hasn't been set and request context root is empty or null. 047 */ 048 public static final String ROOT_PATH = "/"; 049 050 /** 051 * The SameSite attribute of the Set-Cookie HTTP response header allows you to declare if your cookie should be restricted to a first-party or same-site context. 052 */ 053 public enum SameSiteOptions { 054 /** 055 * Cookies will be sent in all contexts, i.e sending cross-origin is allowed. 056 * 057 * <p>None used to be the default value, but recent browser versions made Lax the default value 058 * to have reasonably robust defense against some classes of cross-site request forgery (CSRF) attacks.</p> 059 * 060 * <p>None requires the Secure attribute in latest browser versions. See below for more information.</p> 061 */ 062 NONE, 063 /** 064 * Cookies are allowed to be sent with top-level navigations and will be sent along with GET requests 065 * initiated by third party website. This is the default value in modern browsers as of 2020. 066 */ 067 LAX, 068 /** 069 * Cookies will only be sent in a first-party context 070 * and not be sent along with requests initiated by third party websites. 071 */ 072 STRICT, 073 } 074 075 String getName(); 076 077 void setName(String name); 078 079 String getValue(); 080 081 void setValue(String value); 082 083 String getComment(); 084 085 void setComment(String comment); 086 087 String getDomain(); 088 089 void setDomain(String domain); 090 091 int getMaxAge(); 092 093 void setMaxAge(int maxAge); 094 095 String getPath(); 096 097 void setPath(String path); 098 099 boolean isSecure(); 100 101 void setSecure(boolean secure); 102 103 int getVersion(); 104 105 void setVersion(int version); 106 107 void setHttpOnly(boolean httpOnly); 108 109 boolean isHttpOnly(); 110 111 void setSameSite(SameSiteOptions sameSite); 112 113 SameSiteOptions getSameSite(); 114 115 void saveTo(HttpServletRequest request, HttpServletResponse response); 116 117 void removeFrom(HttpServletRequest request, HttpServletResponse response); 118 119 String readValue(HttpServletRequest request, HttpServletResponse response); 120}